cado Kierkegz 





Ankara Bar 


Cyberlaw, Security and Privacy 


Sylvia Mercado Kierkegaard (ed) 


The Second International Conference on Legal, Security and Privacy 
Issues in Information Technology (LSPI) 2007, Beijing, China 


ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 





Cyberlaw, Security and Privacy 

Ankara Barosu Yayınları (Ankara Bar Association Press) 1000 Adet basılmıştır. 
(1000 copies) 

2.Bask: /2. European Edition 

Telif Hakkı © 2007 International Association of IT Lawyers (IAITL) 


Bu kitap Ankara Barosu tarafından bastırılıp dağıtılmıştır. Her bir makalenin telif hakkı 
eserin yazarına ait olup, yazarların görüşleri Ankara Barosunu bağlamaz. 


This book has been printed and distributed by the Ankara Bar Association. Views expressed 
by the writers are not binding on the Ankara Bar Association. 


İletişim Adresi: (Contact) 


Ankara Barosu Başkanlığı 

Ankara Adalet Sarayı Kat:5 (06100) Sıhhiye Ankara-Türkiye 
Tel : +90 312 310 55 26 

Faks : +90 312 309 22 37 

E-Posta : ankarabarosu@ankarabarosu.org.tr 
Web : www.ankarabarosu.org.tr 

Baskı /printing : Güngör Basım Yayın Tic. 

Tel : +90 312 229 64 82 


Sylvia Mercado Kierkegaard (ed.) 


Cyberlaw, Security 
& Privacy 


Second Legal, Security and Privacy Issues in IT {LSPI} 


Conference (Beijing, December 5-7, 2007) Proceedings 


ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


Cyberlaw, Security and Privacy 
©2007 by the International Association of IT Lawyers (LAITL) 
http://www. iaitl.org/ 


Photocopying for non-commercial purposes is encouraged providing all such copies 
include complete citation and copyright notices. 


Published by the International Association of IT Lawyers 


Editor 
Sylvia Mercado Kierkegaard 


Layout and Design 
Patrick Kierkegaard 


ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


Copyright 


The submission of the paper implies and warrants that the article submitted are the au- 
thor(s)’ own work and it does not infringe or violate the rights of anyone else. The author 
grants ILTC/IAITL the non-exclusive rights to reproduce and distribute in whole or in 
part, the work submitted to the Conference for publication. The agreement does not cover 
reproduction for purposes that are essentially commercial. Furthermore, the author (s) un- 
derstand that it is their sole responsibility to obtain written permission to include any copy- 
righted materials in his/their article. In addition, all trademark use within the manuscript 
must be credited to its owner, or written permission to use the name must be granted. The 
author(s) will hold the publisher harmless from any unlawful matter contained in his sub- 
mitted work. The author(s) in consideration of the publication of the above named man- 
uscript understand and agree that: 


Copyright in the article will remain with the owner of the copyright. By 
submitting an article to the conference, the owner of the copyright grants 
the publishers with a license to publish the article. The author warrants that 
he is the owner of all rights of copyright in the article. Where the author 
subsequently publishes the article, the author is requested to acknowledge 
the article appeared in the book of proceedings. The Author(s) will indem- 
nify and defend the Publisher against any claim, demand or recovery 
against the Publisher by reason of any violation of any proprietary right or 
copyright, or because of any libellous or scandalous matter contained in 
the Manuscript. The Publisher will have the right to edit the work for the 
original edition and for any revision, provided that the meaning of the text 
is not materially altered. This Agreement represents the entire under- 
standing between the parties hereto with respect to the subject matter hereof 
and this Agreement supersedes all previous representations, understand- 
ings of agreements, oral or written, between the parties with respect to sub- 
ject matter hereof and cannot be modified except by a written instrument 
signed by the parties hereto. This Agreement shall be binding upon the par- 
ties hereto, their heirs, successors, assigns and personal representatives. 


Vi 


Foreword from the Ankara Bar Association 


Peter F. Drucker - one of the most significant commentators on business man- 
agement in the last century — once said in his book Post-Capitalist Society (New 
York: Harper Business, 1993) that to have information is ‘to know thyself’. Bor- 
rowing from Socrates, who influenced and enlightened humanity for the last 2500 
years although he did not leave anything written behind, Drucker identified the es- 
sential role of information in growing as a human being, which affects both in- 
tellectual and moral terms. 


Others have found similar insights, which span both Eastern and Western thought: 
According to Protagoras, the greatest competitor of Socrates, information is ‘logic, 
grammar, art of speaking.’ 

According to the Tao and Zen philosophies, it is ‘the way which leads to enlight- 
enment, to wisdom, to philosophy’, in other words ‘to know thyself’. 


According to Eastern Philosopher Confucius, it is ‘to know what to say, when to 
say and how to say.’ 


The word technology, which consists of the Greek word ‘techne’ meaning ‘skill, 
being useful, craft/art’ and another Greek word ‘logi’ meaning ‘organized, sys- 
tematic, targeted information’, was in fact born as a result of applying informa- 
tion to the equipment, processes, and products. 

Technology, which meant ‘speaking on the arts’ in the ancient Greek, is defined 
as follows in today’s world: ‘science fulfilling the practical daily life requirements 
or the applications of human beings for controlling, shaping, changing their sur- 
rounding and all of the concrete and beneficial results obtained from scientific re- 
searches and all of the tools, and methods and processes regarding these.’ 


The Industrial Revolution became a driving force uniting technology to the in- 
tensification of production. Information turned out to be a significant component 
of production, and it even turned out to be the tool for capitalism, contrary to the 
ideas of the classical Marxist views. 


Today what we call ‘information processing’ is in fact the name of the discipline 
which studies the methods used for the transformation of information, i.e. the 
methods used for applying information and the mechanisms used for realizing the 
transformation of information into useful functions. 


The information processing mechanism has also created new information net- 
works, allowing people to connect to each other in new ways. New languages, 
theories, images, symbols, and meanings have developed which give the oppor- 
tunity to accumulate and store information in unprecedented quantities. New tools 
help us to relate data in various forms, turning them into new information, giving 


Vil 


them content and functionality that unites this information into still wider mod- 
els. Such tools today are used very widely in almost every field of science, in 
management, industry, trade, as well as in the arts and other worlds of ideas. 


Marx said the following when defining the time of the revolution: ‘Revolution 
takes place when the social production relations (i.e., the style of possession and 
production) hinder the development of the production means (i.e., the technol- 
ogy).’ 

The Industrial Revolution created new forms of wealth and new social structures, 
which were possible because of technological changes overcoming the constraints 
of feudal social structures. This comment of Marx may also suggest reasons for 
the collapse of the Soviet Empire. The socialist structure and relation of the soci- 
ety collapsed because it resisted communication and computer technology and 
especially the new system for creating wealth based on information. In other 
words, their system did not understand and interpret this aspect of Marx very well. 


Gorbachev was the first Soviet administrator to see and admit this point. For this 
reason, Gorbachev said the following when he started his own revolution: ‘we 
collapsed because we were one of the last to understand that information is the 
most expensive and valuable asset in this era of information.’ 


In today’s world, information has becomes the most significant resource for a de- 
veloped economy, and its value has increased constantly as technology has im- 
proved. Expansive information networks give rise to new value, which is possible 
through collaboration. 


Developed countries today are in the global trade of information, inventions, man- 
agement, culture, high technology, software, education, medical care, finance and 
services provided in these fields. These countries focus on new ways of creating 
and assessing information, and this development permits economic and social ex- 
pansion beyond that which is possible in economies that are based primarily on 
agriculture, mines, cheap labor, and mass production. Moreover, the free flow of 
information from globalization also extends to individuals and firms, thus en- 
hancing freedom and making it difficult for governments to maintain controls to 
‘the same degree as when information flows were more limited. 


As members of the Ankara Bar Association, we have witnessed this rapid change 
in information structure and have adapted to it in our profession. We are aware 
that our most significant function is to provide information efficiently to our 
clients. As a professional institution, we attribute a special importance to ‘infor- 
matics’ which means ‘accessing, distributing, transferring, processing, storing, 
controlling and recovering information.’ The foremost reason for us to support this 
journal is the special significance and value we attribute to information, to infor- 
matics. 


As a leading institution in our profession, the Ankara Bar Association supports the 
desire to communicate with other professional institutions. In this context, Ankara 
Bar Association desires to establish sincere and continuous communication with 


Vil 


other attorneys worldwide, to exchange views with them, and to promote and 
teach a culture of advocacy and justice at a national and international level. All hu- 
manity benefits as we are able to expedite our progress in these areas, and to 
achieve our objectives it will require cooperation from the world’s attorneys and 
their Bar Associations, as well as other relevant international organizations re- 
lated to the domain of attorneys. 


In connection with specialized education and updating information and knowledge 
of its members, the Ankara Bar Association hopes to be able to join worldwide in- 
formation networks and have a potent presence and participation in international 
markets of rendering legal services. International organizations have grown in 
importance during the 20% Century, and that growth will continue into the 21* 
Century, as there will be increasing demands for organizations that serve needs 
within transnational communities. 
Ankara Bar Association believes that the role of contributing to the betterment of 
national and international society is not limited to states and state agencies; non- 
profit organizations, corporations, and institutions should play a role in building 
a brighter future for everyone. As David Maurrasse put it so well in A Future for 
Everyone (New York: Routledge 2004), 

“they can do this by raising issues of equity and inclusion, pushing 

international society to have social responsibility in deeper, lifting up 

the policy context; defending the supremacy of law, democracy, 

human rights, and peace; changing the frame through which stories 

are told and focusing on solutions.” 
The opportunities are there, and only by seizing them will social justice and so- 
cial responsibility be achieved. 


With My Best Regards, 


V. Ahsen Coşar 


Attorney at Law 
President of Ankara Bar Association 


PREFACE 


Information technology has emerged as a pervasive and profound influence in 
our world. The realm of information technology is no longer seen as a self-con- 
tained domain governed by scientists and specialists, but as an integral part of 
the social, economic and legal environment. This transformation, which 
reaches from the laboratory to the living room, creates challenges across the 
globe, as individuals, governments, and institutions adapt and react to the pow- 
erful combination of freely-flowing information through networked commu- 
nications. i 


Rapid change raises complex transition issues for governments. Transnational 
access obliterates the significance of political boundaries, thereby presenting 
new challenges to national sovereignty with the potential to change the nature 
of the fundamental order. Thorny issues concerning the regulation of matters 
such as pornography, Internet gambling, or government criticism are presented 
along side the potential benefits of new access to beneficial information, prod- 
ucts, and services, which can cross geographical boundaries. Free-flowing in- 
formation presents unprecedented opportunities, but also unprecedented threats 
to our security and privacy, as we struggle to find the proper roles for govern- 
ment and private ordering in solving the social, moral, and ethical quandaries 
we face in this environment. Existing laws have frequently been found want- 
ing, thus challenging judges and legislatures to provide new solutions to com- 
plex legal problems. 


This book addresses security, legal, and social challenges that have emerged 
from the convergence of information and communication technologies. Many 
authors have contributed to the content of this book, Cyberlaw, Security and 
Privacy. Their expertise has been gained through experiences that span the 
globe, as a product of different cultural, political, and social influences. The 
confluence of thought from academic, government, and business leaders in 
Beijing, which was made possible through the Second Annual Conference on 
Legal, Security and Privacy Issues in Information Technology, reflects the 
promise of a world without barriers to sharing information, expertise, and 
knowledge. 


Xl 


The articles in this book provide insight, discussion, and analysis of legal de- 
velopments in cyberspace covering issues such as liability in the workplace, cy- 
bercrime, wiretapping, data retention, Internet gambling, virtual worlds, and 
other cutting-edge developments. Such articles may broaden our understand- 
ing, but we also hope they broaden our knowledge of the need to understand 
one another. At least, “Pli bona io, ol nenio“ (i.e.,’Something is better than 
nothing.”) We may see through a glass darkly, but the promise of dialogue 
with both interdisciplinary and international dimensions, reflects an optimistic 
future. Through collaboration, cooperation, and healthy competition, we stand 
a better chance to development of new social, economic, and commercial struc- 
turs that realize the potential that technology has to offer, while at the same 
time accommodating the challenges presented by our cultural, social, and po- 
litical differences. 


We hope that this book will be a valuable guide for anyone seeking construc- 
tive engagement with regard to Cyberlaw, Security, and Privacy issues. 


Sylvia Mercado Kierkegaard 


Edward Morse 
November, 2007 


XII 


Cyberlaw, Security and Privacy 
ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


TABLE OF CONTENTS 
Copyright 
Better a Sword than a Shield: The Case for Statutory Fair Use Right in the Place 
ofa Defence .......ececccecesscescesscssceseessesecncecceseesceecesssesseseesnsesesseseeeeserssessssesnessnsesseseesensessersea® 1 
Warren Chik 
International Private Law Issues regarding Trademark Protection and the Internet 
within the EU ......ses.esesesoeseereseseseerrrsssessrssreeserereeseesessnrestsenseretreseerenerersreseresrerenersereesssereeree 29 


Zuzana Slováková 


Armageddon on the Digital Superhighway: Will Google E-Library Project weather 
the Storm? ......c.cccscscecssesescesssescesssesescsccsesccsesesececssssesesesasseesseeaenesstsceenessassensneasensasonenenerseasee 45 
Akhil Prasad & Aditi Agarwala 


From Sony Librié to Sony Reader and iLiad: The Beginning of the End? 


Legal Implications surrounding the eBook debate, Sony Reader and iLiad ................4 63 
Dinusha Mendis 

Safe Harbor Provisions of Chinese law: How Clear Are Search Engines from 

Liability 2 oo... eecsessesseecssssssssesssseseenssesscsncenneenesnsecsesnnesasennecanennscassensnnncnscnnscansancesscassensantens 79 
Huaiwen He 

The Idea-Expression Dichotomy: Inidianizing an International Debate ..........--..1-+- 93 
K.P. Abinava Sankar & Nikhil L.R. Chary 

Patent in Genetic Technology .........:.::scssccsssssseseneseseneeseenerecersesesessaseeeesenenensenentassegeasisans 111 


Chen Jinjin and Li Raojuan 


Internet Domain Names Interrelationship with other legal rights: Israeli and 
Palestinian perspectives ..........scssecseseessesessceneesssnesessesseneeneenenasarsncnncansacaasoncacessesseeesenseas 121 
Mohammad Alramahi 


Whodunit ! Assessing Copyright Liability in Cyburbia: Positing Solutions to 
Curb the Menace of Copyrighted ‘File Sharing’ Culture..............:ssssssesessssseserentereneenenes 137 
Akhil Prasad and Aditi Agarwala 


Cybercrimes 


Harassment through the Digital Medium A Cross-Jurisdictional Comparative 
Analysis on the Law on Cyberstalking ...........-::sssessesssssssseeeserseacensatenecnsenenseasasensensnnsens 159 
Warren Chik 


Identity Theft and the Gullible Computer User: What Sun Tzu in The Art of 
War Might Teach .........ccccssssesssesessseseesseenscnsscersssssesnesnsanenecansnsnacansasensarsssevensnscesenarnneaseas 183 
Joseph Savirimuthu 


New Phishes in the Pond: A Wake up Call for China in the Context of 


Management of Computer Crime ..........---s-scsecseesesesseenssnesseeneeneserecneenssscenerereesenennennants 201 
Shalini Kesar 


XII 





Cyberlaw, Security and Privacy 
ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


TABLE OF CONTENTS 


e-Commerce & Regulation 


An overview of information society law in the European Union ................. 219 
Paul Przemyslaw Polanski 


The Impact of Legal challenges on the Evolution of Shopbots and Metabots ....... 233 
Yun Wan & Qi Zhu 


Cross-border business in the European Union and statutory disclosure 
requirements: using IT as a catalyst for further market integration ............... 247 
Kristof Maresceau & Michel Tison 


The Independent Regulatory Body: A New Regulatory Institution in Privatised 

Telecommunications Industry (The Case of Indonesia) .................0-0--.. 265 
Atip Latifulhayat 

Data Protection & Privacy 

Tapping and Data Retention in Ultrafast Communication Networks .............. 289 - 
Bart Custers 


Privacy-enhancing user-friendly Identity Management for Location 
Based Services using PRIME technology — A legal discussion .................. 301 
Eleni Kosta, Jan Zibuschka, Tobias Scherner & Jos Dumortier 


The Regulation of Data Privacy in Hong Kong ..........0.0.0-ccccecececeee. 317 
Ji Lian Yap 


Privacy protection and the right to information: in search of a new symbiosis in the 
MAOA O ABE sete rs 'soc a A a ian ieee aa T A ben teams 331 
Pieter Kleve & Richard De Mulder 


Towards Bridging the Knowledge Gap between Lawyers and Technologist ........ 353 
Rasika Dayarathna 


Wresting Informational Privacy from Free Speech .............0.0 cece ceeceee 365 
Sabah S. Al-Fedaghi 


User Perspective of Privacy in Mobility Pricing Systems: A Survey .............. 385 
Muhammad Usman Iqbal & Samsung Lim 


Virtual World 


Towards a System of Estates in Virtual Property. ..........0.0.0.0-c0ccecceceee. 399 
Juliet M. Moringiello 


No One Knows You Are A Dog: Identity and Reputation in Virtual Worlds ........ 411 
Angela Adrian 


XIV 


Cyberlaw, Security and Privacy 
ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


TABLE OF CONTENTS 


Choice of Law & Jurisdiction 


Choice of Law, Jurisdiction, and Recognition and Enforcement of 


Judgements in E-commerce in South Africa ....... 6... e erence eee eee 429 
Omphemetse Sibanda 

The Internet Gambling Conundrum: 

Extraterritorial Impacts of Domestic Regulation .........--..-.+e secrete eens 443 


Edward A. Morse 


Human Rights and Liability 

The Workplace of the Future — Liability Issues and Risk Management. ........-.- 461 
Nigel Wilson 

Global Technology and Modern Commercial Agency of Necessity ........-++++++ 471 
Tim Vollans 

Telecommunications & Governance 

SafeSeaNet and traffic monitoring of ships and dangerous or polluting 


goods in maritime transport within the European Economic Area ...:......--+-+ 485 
Einar Hannesson 
Revisiting Network Neutrality .......se.ssssssrrrerersrsrerrerererserren 499 


Rebecca Wong, Daniel B.Garrie & Daniel W. Loewenherz 


The Enhancement of Transparency in Internet Governance .........---+++-++e 515 
Prof. Dr. Rolf H. Weber 
e-Finance & Economics 


Principal Differences in Financial Reporting Bases in Czech: Comparison 
of IFRS and Czech Accounting Standards Requirements .........--++-seeeeees 531 
Jiri Strouhal 


Cost, Defining, and Responsibility of Government Purchasing Open Source 
Software .. 0... cece ce ee cee eee cence eee ene eet eeeeeeeeeeee 547 
Ma Minhu , Feng Liyang & Dong Zhifang 


Stones from Other Hills:Finality Rules within the Law of International 


Large Value Electronic Credit Transfers in China .........-- +--+ ees errr eres 557 
Wen Li 

XBRL — the Tool for Automated Semantic Readability of Electronic 

Financial Statements .... 2.0... ee tenet ete eee n tees 571 


Ladislav Mejzlik & Jana Istvanfyova 








Cyberlaw, Security and Privacy 
ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


TABLE OF CONTENTS 


Evidence & Security 


Legal and Ethical Implications of GPS Vulnerabilities ..................... 


Muhammad Usman Iqbal & Samsung Lim 


Digital Evidence and Electronic Lawsuits: How far do we BO? artes eles ee os 


Carlos Alberto Rohrmann & Jason S. de Albergaria Neto 


Computer Forensics: from the Technological, Procedural/Organizational and 


Legal Perspectives 6.5 5a .c.3 phe atorncbaiesds onanan eed ase cous See Deca 


Kwok Hung Mak & Barry Chin Chi Yung 


Technological and Legal Aspects of Communications and Information 


Security: Case Study Olympic Game ..............0 000.0 c L. 


Peter Stavroulakis & Steven Stavroulakis 


Research on Lawful Interception in Information Society from a 


Comparative Law Perspective ........0..000 000 cece cee cee cecceeceeceee. 


Ma Hairong & Ma Minhu 


Copyright, Censorship and Privacy: Is Cyberspace Over Crowded? .......... 


Tang Guan Hong - 


XVI 


3349939 


... 659 


Cyberlaw, 
Security and Privacy 


Sylvia Mercado Kierkegaard (ed.) 


Cyberlaw, Security and Privacy 
©2007 IAITL 


ISBN 87-991385-3-0 
ISBN 978-87-991385-3-1 


XVII 


Better a Sword than a Shield 
The Case for Statutory Fair Use Right in the Place of a 
Defence 


Warren Chik 


Assistant Professor of Law 
Singapore Management University School of Law 
LLB (Hons) NUS, LLM (IBL) University College London, LLM (ICL) 
Tulane University 
Advocate & Solicitor (Singapore), Solicitor (England & Wales), Attorney & 
Counsellor at Law (New York) 


Abstract. This paper endorses a reinvention of the general and 
flexible fair use doctrine through the simple powerful elevation of its 
legal status from a legal exception to that of a legal right, and identifies 
the all the benefits that a fair use right entails. 


1. Introduction 


The relatively recent prominence of information technology in relation to the 
duplication and dissemination of creative works and the concomitant use and 
abuse of technology in relation to such works have created a state of disequ- 
ilibrium into the delicate equation of balance that underlies the international co- 
pyright regime. Copyright holders have sought to redress the apparent 
disfavour to their interests by successfully lobbying for greater extensions of 
their legal protections over works in several key regards - time, space and mat- 
ter. The speedy, overzealous and untested manner in which the legal response 
has taken has resulted in overcompensation such that the interests of individu- 
als and society have been compromised to an unacceptable degree. 


Considered in vacuo, information technology is beneficial to mankind as 
it provides for new and additional channels for human interaction and have all 
but erased the impediments of time, distance and format that persist in the phy- 
sical plane. However, the reality is that the function of such technology taken 
in context has very diverse effects. For example, Peer-To-Peer (P2P) Techno- 
logy encourages the greater exchange and re-use of works; others have emer- 
ged to constrain access and use of works, such as Technical Control Measures 
(TCM), which is a form of Digital Rights Management (DRM). Thus, techno- 
logy can be developed with the objective of a freeing as well as a limiting ef- 
fect. 


Although self-help and private remedies are available for all the stake- 
holders concerned to promote their interests, often at the expense of the other, 


1 


the law has remained the primary instrument of copyright regulation and in a 
sense the final arbiter of fair apportionment of rights. However, inevitably po- 
litics and economics have skewed the quest for legislative equilibrium. Recent 
amendments to the international and domestic copyright regime have tipped the 
balance of interests in favour of copyright holders. The problem lies not only 
in the existence of such new law but also in their construction, particularly 
where they relate to technology, as well as in its failure to consider the possi- 
bility that the virtual dimension has fundamentally shifted the theoretical fo- 
undations of the copyright regime itself. 


One of the strongest criticisms against the current protectionist climate 
relates to the general and wide ‘double protection’ offered by DRM and Anti- 
Circumvention Laws (ACL), which have inadvertently caused the displace- 
ment of the important fair use exemptions, which many consider the last bastion 
for the protection of civil rights to works, through its preemptively preclusive na- 
ture. This has even greater practical and policy concerns especially in juris- 
dictions that retain narrow purpose-specific fair dealing exceptions as a defence 
against copyright infringement. This is not merely an academic problem as it 
clearly evinces the greater influence industry lobbyists have over the charac- 
ter of copyright law controls over creative works, which is not representative 
of the interests of individuals and society. 


Meanwhile, the increasing penetration of electronic forms of storage and 
communication, the borderless nature of the Internet that provides the gateway 
to the World Wide Web (WWW) and the invention of enabling technologies 
such as P2P is evidencing a general social shift towards more open collabora- 
tive creativity and the rise of a new global consciousness of sharing and parti- 
cipation across national, physical and jurisdictional borders. This new model 
of human intercourse (behaviour) and the new mindset (expectations and atti- 
tudes) should strongly inform law and policy makers when considering the su- 
itable apportionment of rights over creative works in the digital age, which is 
fundamentally different from the industrial age context in which the copyright 
regime was created. 


The main thesis in this paper is not to propose the destruction or even a 
radical overhaul of the copyright regime but rather the reinvention of the ge- 
neral and flexible fair use doctrine through the simple powerful elevation of its 
legal status from a legal exception to that of a legal right, with all the benefits 
that a right entails. This is not merely an exercise in semantics and the simple 
change in legal status of fair use will go very far in recalibrating the scale and 
go some way in offsetting the imbalances caused by the combined prohibitive 
effect of the protectionist revisions, in particular the double threat of 


DRM/ACL have posed on individual creative re-use and other societal fair 
uses. Such a change will render copyright law more accurately reflective of an 
electronically interconnected global society and also acknowledge the impor- 
tance and benefits of enabling technologies and its role in human integration, 
progress and development. This standard should be consistent in both the in- 
ternational and national copyright regimes. 


In Part 2, I will establish the trend towards greater copyright protectio- 
nism including the world-wide proliferation of ACL provisions. In Part 3, I 
will look specifically at the negative effects of existing DRM/ACL provisions 
on fair use. In Part 4, I will present the procedural and substantive changes that 
a “fair use right” should entail and explain the extent it can go towards reme- 
dying the current imbalance wrought by the protectionist actions of recent 
years. The legal, social and policy implications of a fair use right as opposed 
to an exception will be laid out in the form of a Charter of Rights omnibus. 


2. The Creeping Vines of Copyright Protectionism 


2.1. The Stakeholders and the Balancing of interests 


The copyright regime of protection was established on the basis of a balance 
of interests between stakeholders to creative works. The traditional private in- 
terest parties remain relevant, namely the copyright holders that include both 
industry players and individual or groups of creators on the one hand and in- 
dividuals such as consumers and users on the other. Overarching these private 
interests is the public interest in the generation of creative works and in other 
interests such as civil rights interests that advises public policy in this area. 
The governments as the custodians of society have the burden of overseeing the 
creation and regulation of an optimal balance, which is an ongoing process, 
particularly given the onset of the digital age and in the acceleration of global 
connectivity and technological progress. 


With the rise of the electronic media, new parties and interests have 
emerged which complicates the balancing matrix thereby contributing to the 
current state of imbalance and one that necessitates such a realignment of in- 
terests. With the evolution of digital technologies, what was once the preroga- 
tive of the few is now the privilege of many as the cost of creation, storage, 
reproduction, adaptation and distribution continues to fall and the power over 
them is dispersed, as the tools and outlets for doing so become more sophisti- 
cated and the general population more tech-savvy. There are fundamental chan- 
ges to the creative landscape and its players such as in the increasingly 
prominent profile of the user-creator in participatory media and in valuable 
forms of secondary creativity as well as technology creators and producers. 


3 


2.2. Copyright in the Context of New Media 


Many of today’s copyright battles are not over new issues, but are instead they invo- 
Ive old issues in the context of new media. The Digital Age has produced both socio- 
economic and philosophical challenges to copyright law and policy. Moreover, the 
copyright implications are exacerbated as the forms of creation susceptible to digiti- 
sation and digital transfer have extended from literary to musical and visual works as 
well as other forms of expression. Thus, it is not surprising to see the increasingly fre- 
quent and amount of amendments to copyright statutes and in the rise of copyright is- 
sues in the courts, seeking to cope with the changes wrought by digital technology. 
Most of these changes are reactive rather than proactive and many of them have been 
subject to scathing criticisms of copyright protectionism and monopoly. They come in 
many forms, which will be examined in the following pages. 


The notion of a creative work that is susceptible to property, ownership 
and control concepts and to vertical transfer is challenged due to its unique fe- 
atures that distinguish the digital form from its more traditional tangible co- 
unterpart. For example, music is technologically rendered “nonrival” as its use 
by one does not reduce its value for another, it is ‘infinitely expansible’ as the 
quantity of the work as a market good can quickly become infinitely larger at 
zero marginal cost (due to the zero cost of expansion), “aspatial” as it can have 
no fixed location in space, and the costs of storage and distribution are very 
low, “discrete” since one will consume a discrete number of units of fixed size, 
and “malleable” as it can be customised, modified and recombined at near zero 
cost (due to cheap and widely available technology). 


2.3. The Creeping Vines of Copyright Protectionism 


The ever widening scope of protection under the copyright regime is making 
it a copyright holder’s world. The significance of referring to the “copyright 
holder” is due to the fact that in the industrial age, creativity is an increasingly 
nurtured, if not manufactured, product in a primarily profit-generating industry. 
Copyright does not always belong to the creator. In such an environment, the 
author may not have as much control over his creative works except to the 
extent stated under contract, whether with the industry in question or with a col- 
lecting society or both; and to the limited extent reserved under law, such as his 
moral rights over his works, which varies across jurisdiction. The perceived 
threats to the largely commercial interests of the media industry have led to 
‘knee-jerk’ laws in the form of wild net-casting wide provisions through suc- 
cessfully lobbying of government and organisations. Copyright holders seek 
control over time (period of protection and extensions), space (method of trans- 
fer and operability) and matter (control of access and use). In the meantime, the 
digital age is challenging these preconceived and entrenched notions of pro- 
perty, ownership and control. 


2.3.1. Time Extensions: An Ever Shrinking Public Domain 


Copyright protection is time limited, but in recent years, copyright holders, in 
particular industry lobbyists and big corporate entities with strong commercial 
interest in the monopolistic exploitation of creative works that they ‘own’, have 
managed to have the time limitation extended. For example, in the U.S., the 
temporal limit for copyright monopoly have become rather elastic resulting in 
generous extension of protections through the Sonny Bono Copyright Term Ex- 
tension Act (CTEA) of 1998[1 ] which lengthened the copyright protection term 
to life of the author plus seventy years and the Copyright Renewal Act (CRA) 
of 1992, which made copyright renewal automatic. We see such extensions 
transposed to other countries, obviously influenced by the U.S.’s practices and 
as a trade concession in trade agreements. 


2.3.2. DRM and ACL: Controlling Access and Use through Delivery and 
Form 


As traditional laws and policy appear to copyright holders as inadequate to re- 
sist the tide of social norms against the existing exclusive package of rights 
held by copyright holders caused by new media, the media industries seek to 
reverse the trend through ‘norm manipulation’ (or “norm entrepreneurship”)[ 2] 
through private practices that they sought to be sanctioned and supported by, 
legitimised by force of, law. These measures come under the umbrella term of 
Digital Rights Management (DRM) and include the promulgation of licenses 
over the use of creative works (in lieu of full sale or transfer of ownership) and 
the use of Technical Control Measures (TCM). For the purposes of this paper, 
“DRM” is an umbrella term to describe any measures to manage, secure and 
control access to and use of digital content including all forms of Technical Con- 
trol Measures (TCM),[3] ranging from simple copy-prevention technologies to 
comprehensive secure distribution systems, as well as the management and 
protection of digital content by various other legal instruments. 


This part relates mainly to two-pronged offensive of DRM and Anti-Cir- 
cumvention Laws (ACL), which legally prohibit the general development and 
use of measures to elude or thwart DRM. Although TCM features most pro- 
minently in terms of usage and in this critique of DRM, other private and pu- 
blic methods of strengthening copyright controls should also be noted including 
the extension of exclusive rights (both time and type), license proliferation 
(e.g. End User Licensing Agreements (EULA) and technology license agre- 
ements) and increasingly draconian civil and criminal sanctions that are pre- 
scribed and enforced against individuals. DRM also is not just about TPM or 
copyright protection, it also includes Rights Management Information (RMI) 


5 


such as the collection of user information. These have implications beyond co- 
pyright laws and can clash with other laws and policy such as privacy and data 
protection, which are legal rights in many countries, in particular the EU Mem- 
ber States. So unless DRM (or RMI) can be limited to copyright protection 
only, there is even greater justification and force for a mechanism to guard aga- 
inst the abuse of DRM (and ACL) that can lead to the incursion of other civil 
rights. 


The introduction of DRM and ACL into the copyright protection regime 
is instituted at several levels and their transposition into domestic laws is faci- 
litated by concessions at the table of trade negotiators. At the international 
level, the World Intellectual Property Organisation (WIPO) produced copyri- 
ght treaties;[4] and at regional and national levels, [5] legal instruments have 
also been produced with in respect of these measures. Free Trade Agreements 
(FTA) have accelerated the spread of its incorporation into law, largely through 
the influence of the U.S. For example, broadly drafted DRM/ACL provisions 
that are substantively similar to those under the U.S.’s Digital Millennium Co- 
pyright Act (DMCA) of 1998, have been adopted into the copyright legislation 
of its trade partners such as Australia and Singapore [6] Furthermore, provi- 
sions in the Council of Europe’s Convention on Cybercrime of 20017] which 
many European countries as well as the U.S., Canada and Japan are signatory 
countries, may have the effect of criminalising the circumvention of DRM se- 
curity measures and related preparatory activities as well. [8] 


The primary negative effect of DRM and ACL has been on its effects on 
fair use. There are also other negative effects such as on secondary forms of 
creativity, technological inventions[9] future access to information; as well as 
effects against the market (e.g. anti-competition and monopolistic tendencies), 
society in general, consumers in particular, and other public policy concerns (e.g. 
security research and development{10] disclosure and surveillance). The bona fide 
use and potential non-substantial infringement use tests from cases like CBS 
Songs v. Amstrad Consumer Electronics{11] and Sony Corp. of Amer. v. Uni- 
versal City Studios, Inc.[12] seem to have been conveniently ignored in the 
drafting of the DMCA and its ilk. TCM were not necessary for those forms of 
technology and yet creativity still flourished, and the same arguments can also 
apply to modern forms of technology easing usage and transfer, which inci- 
dentally benefits not just users and the public but also private entities through 
the potential of new business models. 

The Sony BMG CD Copy Protection scandal in 2005 provides a good il- 
lustration of the use of DRM ‘gone wild’ due to the freedom of its use derived 
from widely drafted legislation and permissive DRM (and ACL) provisions. 
[13] DRM itself can involve the use of spyware and even malware depending 


6 


on the nature and function of the program used, or it can facilitate such abuses 
by others as the Sony BMG case illustrates. Although the case did not proceed, 
it is clear that as a consequence of its actions, a whole host of non-copyright 
laws are potentially implicated, such as trespass to property and privacy, unfair 
contract terms and non-incorporated terms, consumer protection laws and so 
on. It is also clear that the use of DRM is still subject to existing laws even if 
the law sanctioning its use does not state any limitations as to its uses. 


2.3.3. Vigorous Enforcement: Using the Iron Fist of Criminal Liability 
on Primary Infringers 


The reinforcement of strong civil actions with the prescription and enforce- 
ment of criminal liability can only produce a dampening effect on fair use and 
also cultivate mistrust among users in society towards copyright holders, [14] 
which will only serve to widen the divide between copyright holders and other 
segments of society. For example, in the U.S., criminal liability has been exten- 
ded to copyright infringement in the No Electronic Theft Act (NET) of 1997, 
[15] which also extended infringement of copyrighted material for personal as 
well as commercial use; and the DMCA itself criminalised acts that may lead to 
infringement[16] Profit motive and commercial purpose (i.e. actual profite- 
ering or expectation of financial gain), which was not a crime before, have be- 
come one in the recent legislation of some countries just as it has under the 
NET. Not only have penal sanctions been extended, punishment provisions 
have also increased in severity[17] In effect, these are extensions of the rights 
of copyright holders. 


2.3.4. Expanding Rights: Through the Nature and Form of Use of 
Works in the Digital Realm 


Much has been said about the DMCA, but there are other laws that also direc- 
tly extend the copyrights of use. Again, in the U.S. for instance, the Semicon- 
ductor Chip Protection Act of 198418] extended copyright protection to 
“mask works”, and the Digital Performance Right in Sound Recordings Act of 
1995 [19] grant to copyright holders the exclusive right to perform their co- 
pyrighted works by means of digital audio transmission. Many commentators 
argue that the anti-circumvention provisions of the DMCA actually created a 
new form of exclusive right for content owner: Right of Access [20] This right 
facilitates the licensing of copyrighted materials, but at the same time permits 
the licensing of access to non-copyrighted materials; a technological infringer 
can violate §1201 independent of the exclusive rights of copyright holders 
under copyright legislation. It has been dubbed as ‘para-copyright’ provisions 
by some critics. [21 ] 


2.3.5. Self-Help: Private Measures to Extend the Long-Arm of Control 
over a Work 


Control is being cast over copyright as ‘intellectual property’ through restric- 
tive licenses in lieu of a simple contract of sale or transfer of a piece of work 
in tangible form. Personal use, interoperability, first sale and other doctrines 
that worked in favour of the user-consumer are now threatened, if not take 
away, by the increasing use of licenses in the ‘sale’ of works, both in digital as 
well as in tangible form. The ambiguity under the law exacerbates the pro- 
blem. The rise of the EULA is clearly a problem particularly as they serve the 
same purpose as contracts except that they incorporate terms which fairness in 
relation to the same consumers and largely the same uses are questionable, and 
they remain largely unchallenged in the courts. 


3. The ACL-Fair Use/Dealing Fencing-in of Fair Use 


3.1. The Function of Fair Use and Its Role in the Digital Age 


“Fair use” in the U.S. and its “fair dealing” equivalent in many Commonwe- 
alth Countries and common law jurisdictions carry the weight of public policy 
for the release of copyright to society without the need to seek the copyright 
holder’s permission or for consideration, such as monetary payment. One dic- 
tionary defines “fair use” concisely as a “reasonable and limited use of a co- 
pyrighted work without the author’s permission.’{22] In other words, it 
embodies a government-sanctioned justification and legitimacy to engage in 
acts that would otherwise be an infringement on the copyright holder’s exclu- 
sive rights. The doctrine has existed in common law for some time as an equ- 
itable defense designed to avoid the rigid application of the exclusive rights 
reserved for the copyright holder under copyright statutes in situations and in- 
stances where it will stifle the creative and leaning environment that it was 
meant to nurture and produce, or where it will cause detriment to other socie- 
tal benefits that outweigh the private interest in protection. Because it is im- 
possible to predict the fact situation in every case, it remains a legal test for 
court application, albeit with some statutorily built-in factors, which offer some 
guidance for fair users to determine the likely legitimacy of their actions in the 
absence of first seeking copyright holders’ consent. 


Fair use in the U.S. is a measure that has served a useful role both as a 
general as well as a purpose-specific protection against the threat and stigma of 
copyright infringement and its consequences. [23]Due to the catch-all provi- 
sion, fair use is a malleable and adaptable doctrine which is not confined to 
any specific purpose unlike the fair dealing doctrine. The courts apply the do- 


ctrine in the changing context of society guided by some factors provided by 
legislation and judicial common sense. The factors determining fairness are 
non-exhaustive and the courts have come up with some new and important fac- 
tors in recent years to adapt its function to the electronic age such as the “trans- 
formative use test’[24]. Fair dealing as it exists in other common law countries 
was predominantly purpose-specific until more recently when some jurisdic- 
tions have seen fit to amend their legislation to render it open-ended much like 
fair use as a counter-weight against expansions in protection. Open-ended fair 
use/dealing obviously operates more favourably than the traditional closed-list 
fair dealing for the wider segment of societal and individual interests. 


The fair use/dealing doctrine facilitates the development of taxonomy for 
determining the rights of all interest parties both in the real-space and in cy- 
berspace. It is adaptable to the latter context as it is neither be frozen in time 
or space (although existing purpose-specific fair dealing exemptions in some 
jurisdictions should be subject to statutory amendment and inclusions in order 
to take into account changes in context, preferably with the inclusion of a re- 
sidual ‘safety-net’ provision) nor limited by the type of outcomes we have come 
to expect of its application in the real world (in its application to the context, 
facts and circumstances of each case).[25] There are various types of fair uses, 
and an expansion of the types and nature of fair use in the digital context, in- 
cludes the classic productive use and pure personal use, [26] as well as perso- 
nal productive use. [27]Increasingly, we see a boom in a re-use and re-mix 
culture, particularly in relation to audio and visual media, which is fostered by 
the functions offered by information technology. 


For convenience, from this point, the reference to “fair use” will also 
refer to “fair dealing” as a test (i.e. the open-ended or purpose-specific diffe- 
rence shall be ignored until it is once again taken up as an issue for reform later 
in the paper). This will dovetail into the proposal in Part 4 to harmonise them 
under a singular broad-based non-purpose specific right (under the rubric “fair 
use right”) for users. Substance is more important than form, and a broad-based 
fair dealing right is synonymous to a fair use right provided that they serve the 
same function and have the same broad scope of application. 


3.2. The Threat to Fair Use and Its Importance and Continued Rele- 
vance 


The importance of fair use cannot be understated. It has been used invariably 
in response to new forms of information technology that have benefited so- 
ciety in terms of the cost-effectiveness, time-efficacy and labour efforts rela- 
ting to the creation, storage, duplication, distribution and adaptation of creative 


works. It is the champion of all interests other than the copyright holder’s with 
which it is in constant tension and conflict. So far, it has only been refined with 
the addition of factors to determine what is fair, and even then it is not a ma- 
thematical formula and although courts do canvass the factors and determine 
which favours which party more, it remains a flexible and equitable rule of re- 
asoning for the courts determine in whose favour the final equation falls. 


3.2.1. DRM: First Salvo - Taking Away Control Over Use 


Much has been written on the blind threat to fair use through the use of DRM, 
including TCM and EULA. DRM provisions are general and do not distingu- 
ish between fair and unfair uses. For the objective of the doctrine of fair use to 
work, both legal and actual access to a work, whether in physical or digital 
form, is required. If access to such a work is prohibited or restricted, and if the 
access and use of software or devices that facilitate access in spite of such pro- 
hibition or restriction, then fair use is defeated. 


3.2.2. ACL: Second Salvo - Taking Away Instrument to Overcome Con- 
trol Over Use 


Anti-circumvention provisions also do not distinguish between fair. and unfair 
use and takes away the fair use potential of all DRM protected works.[28] This 
is especially real when one takes into consideration the fact that most users 
lack the technical know-how or facility to circumvent locking technologies in 
order to exercise fair use, while those that do are prevented or dissuaded from 
creating and using such technologies because it is now even a crime to do so. 
[29] 


3.2.3. A Summary- of the Problems of DRM/ACL in Jurisdictional 
Context 


DRM/ACL legislative provisions categorically ban or prohibit even the very 
creation of circumvention devices that can be used to circumvent DRM. So 
too are the manufacture and availment of measures to circumvent access and 
copy control measures. This does not take into account the many legitimate 
uses of circumvention devices and the benefits of developing such new tech- 
nologies. The availability of such devices is fundamental to the ability to exer- 
cise the many types of fair uses that would otherwise be easily performed if not 
for DRM. We need both the legal and technological tools in order to make fair 
use work. The risk and threat of litigation for such technology creators and the 
lack of resources available to users who are largely individuals as well as the 
uncertainties and difficulties of doing so have too much of a dampening effect 
for this scheme to work efficiently. Current exemptions to the general prohi- 


10 


bition against circumvention are also currently purpose-specific and too limi- 
ted. ACL can also have potential long-term adverse effect beyond the legitimate 
period of copyright protection, by locking-in works indefinitely. 


3.3. The Growth of Awareness of the Need for a Fair Use Right 


While the nascent idea of a “positive fair use” was earlier espoused by the 
U.K.-based Campaign for Digital Rights, the idea has since gained momen- 
tum in Canada and attracted the attention and interest of the academia, civil so- 
ciety and even the courts and the Canadian legislature. The Supreme Court of 
Canada has since recognized fair dealing in Canada as a user right. Recently, 
the interpretation of section 29 of the Canadian Copyright Act (i.e. fair dealing 
for the purpose of research or private study), and the judicial attitude and ap- 
proach towards establishing fair dealing in general, have become more liberal 
and proactive. 


The Supreme Court of Canada took the lead in this initiative in a series 
of cases at the cusp of the new millennium beginning with Théberge v. Galerie 
d’Art du Petit Champlain inc{30] Justice Binnie, giving the judgment of the 
Théberge court, spoke on the importance of balance in Canadian copyright 
law{31 ] Soon after affirming the need for balance in Canadian copyright law, 
a unanimous Supreme Court proceeded to highlight and recognize the impor- 
tance, and in the process open the door to elevating the status, of fair dealing 
in the seminal case of CCH Canadian Ltd. v. Law Society of Upper Canada[32] by 
describing it as a “user right”. Justice McLachlin, giving the judgment of the 
court, stated that: “[T]he fair dealing exception is perhaps more properly un- 
derstood as an integral part of the Copyright Act than simply a defence. Any act 
falling within the fair dealing exception will not be an infringement of copyri- 
ght. The fair dealing exception, like other exceptions in the Copyright Act, is a 
user’s right. In order to maintain the proper balance between the rights of a co- 
pyright owner and users’ interests, it must not be interpreted restrictively.’[33] 


4. The Legal, Social and Policy Implications of a Fair Use 
Right ; 


The user of a copyrighted work currently do not have a natural or positive right 
to fair use under the existing copyright regime at both the international and na- 
tional level. The proposal in this Part is for the entrenchment of fair use as a 
“right” and the real differences that will result in its status as well as the bene- 
fits that that entail. The distinction will be made between a ‘first class’ right ver- 
sus a ‘second class’ privilege; and between the ‘entitlements’ of a right versus 
the ‘pardon’ of a defence. Many commentators speaking of and writing on fair 


11 


use refer to it interchangeably as an “defence”, “exemption”, “exception”, “li- 
mitation” and sometimes even as a “right” without making a distinction or con- 
sidering the subtle conceptual and jurisprudential differences between each of 
those words; in particular the “right” as compared to the former descriptions. 
This failure to distinguish and the ensuing confusion must be avoided. 


4.1. Comprehensive Treatment and International Harmonisation 


The legislative approach is faster, reflects policy and can be more immediate 
and reactive (depending on the process). Judges interpret legislation and al- 
though they can make law in common law legal systems they can only do so 
if the correct legal issue is raised before it, which is neither immediate nor pro- 
active. Codification or progressive development of the law is also preferable 
on an international platform for harmonization. International dialogue and har- 
monisation of systems is important due to the fact that the geographical loca- 
lization and distinction that may have existed in the past between parties and 
in relation to the creation and distribution of works do not exist now. Hence, 
the approach to change should be multi-level and multi-pronged. Law and po- 
licy changes will have to be effected at the international level to be consistent 
with the arguments of universality wrought by cyberspace and to produce the 
fairest result among parties as well as a penetrative and consistent effect among 
different jurisdictions. [34] 


4.2. Proposal for an Open-Ended “Fair Use” 


Fair use is still the most important instrument to counter-balance the weight of 
copyright protection and it has shown versatility through time. The point here 
is that, as one writer put it, “fair use should be rescued, and rebuilt” [35 ]and not 
discarded as it has not outlived its usefulness. It readdresses the issues relating 
to the extent of copyright protection and encapsulates the concept of balance 
(fair) and it also describes the main interest of others in the nature and types of 
uses (sharing, re-use, re-mix, personal use, etc.). The support here is towards 
a more flexible and open-endedness test as opposed to a purpose-specific list 
approach that is confining and myopic, especially given the technological and 
social changes in the last decade or so. In fact, as noted, countries using the fair 
dealing test have either already adopted or are considering the adoption of the 
open-ended fair use approach. 


Fair use is still relevant due to its versatility and flexibility. What use is 
fair can evolve with the times and with advances in technology. One need only 
look back at the representative cases in the last decades that have re-molded and 
reigned in copyright protection in the light of technological development using 
the fair use instrument. In the 1980s, there was the Sony Corp. v. Universal 


12 


City Studios, Inc. (Betamax case)[36] in the 1990s, the Recording Indus. Ass’n 
of Am. v. Diamond Multimedia Sys.[37] and in 2000 the P2P line of cases. 
Thus, there is no reason why it cannot still meet the challenges posed by new 
technology and the needs of the global digital society. 


Moreover, fair use has already been established as an important organ of 
the copyright body of law. It will be less threatening, and hopefully more ac- 
ceptable, to copyright holders to modify something familiar than to suggest 
the introduction of more radical changes. It is to be noted that most of the chan- 
ges that entail from the fair use right are procedural rather than substantive, 
which is meant to level the playing field for individual users and other mem- 
bers of society vis-à-vis copyright holders. It is especially urgent to repair and 
reinstate fair use given the myriad threats besides DRM and ACL that are posed 
to user rights in the digital age. They include the downgrading of the expres- 
sion-idea dichotomy given the ease of expression in digital form including 
audio, visual and typed form; the threat to the first-sale doctrine,[38]and exhau- 
stion of rights through replacement of ‘sale’ with ‘licenses’; and other issues 
and uncertainties relating to personal use, such as backing-up of files, replica- 
tion, time/space/format-shifting, and interoperability across devices. 


4.3. From Legal Exception to “Legal Right”[ 39] 


In legal jurisprudence, generally a “right” is the legal or moral entitlement to 
do or to refrain from doing something or to obtain or refrain from claiming or 
obtaining something (such as an action, thing or recognition) in civil society. 
Rights serve as rules of interaction between people; as such, they place con- 
straints and obligations upon the actions of individuals or groups. [40]The phi- 
losophy of copyright relates to the jurisprudential basis for copyright law and 
policy. Copyright is largely defined by the statutory laws of a legal system or 
systems and in the interpretation and application of the statutory provisions by 
its courts, particularly in common law countries. Philosophical and jurispru- 
dential disagreements surrounding copyright act as ‘proxies’ for policy differ- 
ences. Legal rights cannot exist in vacuo but owes its existence to the rules of 
legal systems. 


Philosophically, the conceptual analysis of legal rights has been appro- 
ached in many different ways. Although not all philosophers can agree on what 
constitutes a legal right, [41 ] there have not been a lack of approaches to its ana- 
lysis that have resulted in several main approaches, which may be loosely ca- 
tegorised into two schools of thought: First, those who consider rights as 
special and that takes priority over other considerations (an approach that is 
simplistic in its complexity); [42] and second, those that choose to analyze ri- 
ghts with reference to other concepts as duty, liberty and powers or any com- 


13 





bination thereof. In the case of the latter, taking the view that the right is only 
given effect by these other concepts but is not confined or defined by them 
means that rights are flexible and can be manifested in new ways or form to 
meet the needs of changing conditions or circumstances. What is essential for 
our purposes here is that despite the different approaches to conceptualising 
legal right and whatever the relationship it has with duty, liberty and power 
(all of which connotes strong priority under law), all jurists agree that rights are 
of primary importance and strength and takes precedent over lesser legal con- 
cepts and certainly non-legal privileges. 


In the context of this paper, we do not equate rights with duties but ra- 
ther with voluntary entitlements that the right holder can choose to enforce but 
that remains an option until it is exercised against another. For our purposes, 
the significance is that irrespective of the philosophical approach, recognizing 
fair use as a right definitely gives it something more than relegating it to an 
exception. 


What is a “legal exception” as opposed to a “legal right”?[43] At the 
outset, the main tenor of this paper is on the practical justifications for streng- 
thening the function of fair use, particularly procedurally, and basing and distin- 
guishing it from the existing functionality of the doctrine on a legal rights-based 
perception (i.e. “user right”, as some would prefer). The reference to fair use as 
a limitation, exemption or exception, or in any other term that has a limiting 
connotation and that conjures a somewhat second class status to copyright has 
given way, in some quarters to the more affirmative and recognized quality of 
a right, with an essential role in counter-balancing copyright protection. This 
approach is relatively new and partly a reaction to the wave of protective me- 
asures adopted under legislation. [44] 


As noted, the concept of user rights has been recognized by courts, in 
particular the Canadian Supreme Court in CCH Canadian Ltd v. Law Society 
of Upper Canada[45] which classified “fair dealing” as a “user right”. It has 
also become the rallying call for civil rights groups like Digital Copyright 
Canada. The real practical importance of making fair use a right, and the dan- 
ger of not doing so, is encapsulated in this comment by one writer that “the fair 
use doctrine is no longer necessary as applied to controlled digital con- 
tent... DRM or encoded content no longer fits the definition of a pure public 
good...[and] fair use remains an affirmative defense, not a direct cause of ac- 
tion. Therefore, there is rarely a need or ability to invoke fair use privilege for 
DRM or encoded content.” [46] The exclusivity of rights is in its primary and 
remedial function. The right to start a legal action (sword) to enforce a right 
cannot be based on an exception (shield) to defend an act. 


14 


An example of the problem with legal exception is illustrated by the 
Paris Cour de Cassation decision in the 2007 Mulholland Drive case. The case 
was brought up in 2003 by a consumer in a complaint against the producers of 
the movie Mulholland Drive because the legally acquired DVD was protected 
by DRM that did not permit the consumer to make a copy of it in order for him 
to watch it on a VHS cassette (format/space shift) at his parents’ home. The 
DVD did not have any clear notice that it could only be used with specific de- 
vices. The Cour de Cassation held that the private copy of a certain work is not 
a right but a legal exception and that no one can start a legal action based on 
an exception, which can however be used as a reasonable defence in the case 
of alleged counterfeit, if the other legal conditions are fulfilled. [47] 


The starting premise is that the copyright holder has private rights over 
his work ab initio[ 48] whereas exceptions are not ‘as of right’ but only exists 
when proven to exist. Other than cause of action there are also implications 
for burden of proof. In the context of copyright laws, the lower status of a legal 
exception is shown by the fact that in order to “use” a copyrighted work, you 
must either have the copyright holder’s permission, or you must qualify for a 
legal exception such as “fair use”. Seeking permission and showing that you 
qualify for an exception (and hence have not infringed copyright) are placed 
on the same plane. There is prima facie infringement until proven otherwise. 
Also, looking at copyright legislation and how it is structured, even though 
there is no indication that there is a hierarchy in the numbering and order of the 
provisions, it is a telling sign and reflects the level of importance given to co- 
pyright over exceptions that the nature of copyright protection and infringe- 
ment provisions appear before fair use provisions. 


4.5. The Legal and Policy Implications of a “Fair Use Right” 
4.5.1. Positive Rights for Fair Users 


Why is it significant to elevate fair use formally to the status of a right? It con- 
stitutes an acknowledgement that both private interests and public interest of 
stakeholders on both sides of the equation are on equal footing and should be 
treated equally. As between rights to the same subject matter, the apportionment 
of rights should be formulated in such a manner that they are of equal stan- 
ding by establishing mutual exclusivity of rights in creative works and to avoid 
conflict. As noted, there is a difference between the status in law of a right as 
opposed to an exception. Giving someone a right empowers the person in many 
practical and real ways than if his actions are merely tolerated as an exception. 
It is important not only to label fair use as “right” but to consciously recognize 
it as such with the attendant entitlements (as opposed to privileges, which can 
be more easily conferred and revoked) and powers that come with that status. 


15 


The institution of change through international harmonization of laws 
and through legislation will translate into other law-making forums such as the 
courts in common law jurisdiction by influencing the mindset the premise of 
judges (which we have seen develop independently in Canada), leading to 
expansive and generous interpretation (as opposed to a narrow and strict in- 
terpretation) of the fair use doctrine, and to the evolution of the factor analy- 
sis, taking into account new developments, in both description and application. 


4.5.2. From Shield to Sword: Procedural Overhaul 
4.5.2.1 Fair Use as Affirmative Rights [49] 


Fair use is currently an affirmative defense, [50] which means that a defendent 
has to proactively claim protection under its exemption, rather than the court 
automatically deciding whether the exemptions applies. As it currently stands, 
fair use cannot be raised as a defense unless the plaintiff brings an action on 
copyright infringement and shows a prima facie case of infringement. If it is a 
right, the courts (or an administrative body) can automatically consider its me- 
rits if called upon to do so and a fair user can also bring an action to affirm the 
right, perhaps with a view to obtaining a declaratory judgment or to extingu- 
ish an infringement threat or preempt an infringement action. The copyright 
holder must then disprove fair use. A right to a cause of action and the standing 
to assert the right to fair use against measures which interferes with such a 
right, including TCM and ACL, is essential to its existence and continued re- 
levance. 


This, as an affirmative right, there should be the standing to bring a cause 
of action to assert fair use. It is to be noted that under article 6 of the EU Co- 
pyright Directive, circumvention requires a subjective element of knowledge 
or bad faith. Hence, accidental circumvention is excused. Article 6(4) of the EU 
Copyright Directive tries to reconcile ACL with user rights by relying on vo- 
luntary measures taken by the copyright holders to ensure the users’ fair use 
rights, or in the absence thereof, it requires the Member States to take “appro- 
priate measures” to ensure that copyright holders make available to the public 
“the means of benefiting from that exception or limitation”. However, it only 
refers to certain exceptions and limitations and Member States cannot go bey- 
ond the protection intended by article 6(4) and privilege other fair uses. As an 
example of how this has been implemented, German law currently provides 
for most of the exceptions and limitations included in article 5 of the Copyri- 
ght Directive. The German approach to article 6(4) is to oblige copyright hol- 
ders to provide beneficiaries with the necessary means to use the rights under 
the exceptions. Under §95b(1) of the Gesetz über Urheberrecht und verwandte 
Schutzrechte (Urheberrechtsgesetz) (UrhG), if copyright holders fail to pro- 


16 


vide the beneficiaries with the necessary means to exercise an exempted act, 
the individual beneficiary has a claim against the copyright owner. The law 
provides for a new group litigation right for associations, which allows them 
to sue copyright holders violating their duty for an injunction. The compro- 
mise is that although it does not permit the user to resort to circumvent the 
technological measures through self-help or with assistance from technology 
developers, it still provides an avenue for the user to make a claim against the 
copyright holder through legal means. 


4.5.2.2. Action for Decryption 


As a right, the fair user should have the power to require or compel the copy- 
right holder to decrypt or facilitate access to a TCM protected work for fair 
use purposes.[51 ] In other words, there is a duty on the copyright holder to 
offer decryption services under the right circumstances. The mechanics of how 
this can be done can be developed. For instance a process can involve the po- 
tential user first approaching the copyright holder for access. If the latter obli- 
ges, then the matter ends there, but if not, a speedy administrative 
determination can be made (e.g. by a registrar or expert) which can provide an 
impetus for the copyright holder to comply, failing which an appeal can then 
proceed to be initiated before the courts (which will take into consideration in 
some manner the administrative decision). There will be attendant appropriate 
distribution of costs upon determination based upon the merits of the case and 
the reasonableness of the request for use and the denial of use. Unless and until 
automatic fair use defaults can be built into access control technological me- 
asures, [52] this is a solution to the problem of access. 


4.5.2.3. ‘Re-enfranchisement’ of Circumvention Technology Makers 


Affirming “right to access” for fair use extends to “right to means of access” 
for such purposes. [53] Making it more difficult to prosecute the primary fair 
user will also make it more difficult to do so for secondary parties who may be 
caught under the statutory provisions on vicarious, contributory or authoriza- 
tion infringement or the like (as the case may be). Hence, fair use right should 
extend to secondary parties developing and providing the means to the extent 
that the use is likely to be non-infringing. As it currently stands, there is primary 
and secondary infringement; hence there should also be primary and secon- 
dary fair use rights. Fair use right is not only a right of the user but should also 
extend to intermediaries, in particular technology innovators. It will allow them 
to legally and legitimately create such technologies that are beneficial to soci- 
ety and digital advancement, create competition and improvements in tech- 
nology, and produce technologies that also provide for other uses beyond DRM 
and circumvention measures. In particular, in this context, creators of circum- 


17 





vention technologies can exercise either their own secondary fair use rights (in 
connection with the invention provided that it relates to the support of primary 
fair use, such as if it were done at the behest of a primary fair user), or to ex- 
ercise vicariously the rights of the primary fair user. The idea of a fair use re- 
gistry in 4.5.3 can extend to this category of persons, perhaps to a more 
important (or even greater extent) than to registration of primary fair use. This 
will alleviate the deterrent effect and the current prohibitory environment that 
they work in.[54] In the meantime, it will also have the incidental but no less 
important effect on the ordinary user as he will avoid the burden and difficul- 
ties of self-help decryption or having to resort to unreliable qualified services 
or illegal software. 


4.5.2.4. Adjusting the Burden of Proof 


Currently, a copyright holder alleging infringement of the copyright in a work 
simply has to prove the existence of a valid copyright, his ownership of that co- 
pyright, and the use of the work by the defendant without permission. The legal 
burden of proof then shifts to the defendant[55] who may then take the op- 
portunity to make the claim of fair use by proving on a balance of probability 
and satisfying the court that he satisfies it in terms of the manner of use as well 
as the type of use, if the exception is purpose-specific.[56] Hence, the defen- 
dant encounters two levels of uncertainty at two points in time - his own judg- 
ment that his use is fair at the time of actual use, and subjecting that judgment 
to the court’s determination if a case is brought against him. These cumulati- 
vely have the effect of deterring a lot of potential fair uses that are of benefit 
to the individual and to society at large, because the risks and uncertainties to 
potential fair users are high. 


Some courts appear to acknowledge the need to alleviate some of the 
hardships facing fair users in relation to having to defend their actions in court 
by proving fair use. The U.S. Supreme Court has indicated that some specific 
elements of fair-use proof may, under some circumstances, be placed on the 
plaintiff and not necessarily lie with the defendant. [57] The U.S. Supreme 
Court has allowed the onus of proof for some elements of fair use to be shifted 
from the user-defendant to the owner-plaintiff. [58] This shifting of the factual 
burden of proof can also serve to place the onus on the party that may be in a 
better position to bring in the relevant evidence. This practice shows that even 
though it does not fit the label of a defence, the courts are starting to acknow- 
ledge that fair use should be a right, albeit in a piecemeal and tacit manner, by 
taking incremental steps to subtly shift the burden of proof to improve fairness 
and efficiency anyway. Formally recognising fair use as a right will also pro- 
mote consistency of treatment in the courts. 


18 


Recognizing fair use as a right will shift the legal onus of proof to the 
copyright holder to show unfair usage of his copyrighted work by any user. In 
fact, the copyright holder should be charged with the burden of proving not 
only the basic elements of copyrightability, ownership, and infringement, but 
also that the use is not fair use, before the onus shifts to the defendant to sa- 
tisfy the court that the use is indeed fair. This proposal goes further than just 
creating specific exempt class of users by shifting the burden of showing unfair 
use or circumvention for infringing purpose to copyright holders for a broad 
swath of users on the basis of intended use rather than based on specific pur- 
poses when we factor in the open-ended fair use right. Socially, shifting the 
burden of proof protects freedom of speech and expression that already un- 
derlie many types of fair uses such as the use of existing works for criticism, 
parody, research and study. The “fairness” analysis[59] (onus on the copyright 
holder) should be separated from the “purpose” analysis (onus on the user de- 
fendant). In the latter case, as long as a main purpose is legitimate it should be 
a sufficient basis for fair use, which is in line with the open-endedness of fair 
use. 


There can also perhaps be a gradated burden of proof for different pur- 
poses or objectives related to the use. For example, some suitable specific pur- 
poses, particularly those already in existence as exceptions, can be deemed a 
permitted purpose for straightforward cases based on the facts (e.g. criticism, 
review or news reporting under a commentary or column in a magazine); while 
for others it is presumed as it will depend upon the circumstances of each case 
whether it is so (e.g. study and research); whereas for a purpose claimed under 
the general rubric that does not qualify or fall under a specific-purpose category 
of any sort, it will remain to be proven by the user defendant. 


In summary, rather than giving copyright holders the sword and fair 
users a mere shield or vice versa, this is merely creating an equal ground by ar- 
ming both parties with both the sword and the shield for a fair battle before 
the courts. It will also allow the manufacture, distribution and the commission 
of devices and software that make it possible for consumers to exercise their 
rights under copyright law as the makers and distributors of such devices or so- 
ftware. 


4.5.2.5. Countering Abuse of Copy Right 


There are notable trends of tactical or strategic lawsuits made to dissuade uses 
irrespective of the fairness of the equation. Some copyright owners frequently 
make infringement claims even under circumstances where the likelihood of 
fair use is high with a view to deter uses without permission, most often with 
a view to preserving profits. These are frivolous lawsuits and the misuse of a 


19 


legal right. Another example is the increasing over-utilisation, over intrusive- 
ness and ‘dangerous’ uses of TCM such as in the Sony BMG Rootkit case, 
which should also entail sanctions under the copyright regime, on top of other 
civil or criminal laws that may be implicated. Just as the user has a responsi- 
bility to render use a copyrighted work fairly or else face infringement sanc- 
tions otherwise; consonant with elevating the fair use to a right, the copyright 
holder who misuses his copy right should also face sanction should his actions 
constitute an abuse or overreaching of statutory rights.[60] Examples include 
requiring the strengthening of control over TCM by providing that they must 
accommodate rights that are established by existing legislation, including but 
not limited to copyright law exemptions; and allowing for the loss of ACL pro- 
tection in the case of an abuse such that and all users may legally circumvent 
it. The failure to remove DRM, in particular TCM, after the expiry of statutory 
protection should also be sanctioned as it is a detriment to society to have works 
permanently locked from the public domain after it has fallen out of the period 
of protection. 


4.5.3. From Shield to Sword: Institutional Approach 


Elevating fair use to a right justifies institutional support to encourage and sup- 
port fair use. An administrative institution will be useful as a fast-track and in- 
expensive recourse for individuals. It can also function as a watchdog with its 
own powers of initiating review and achieving fairness. 


4.5.3.1 A Registry for Fair Use and Fair Development of Circumvention 
Technology 


There can be a registration system for users to assert fair use. If registered after 
administrative consideration, it can be taken as proof of fair use and be taken 
in favour of the user if the matter is later disputed. This may lead to action for 
decryption of the work if it is under a DRM. As noted technology creators sho- 
uld also be able to register their creations for the purpose of fair use if that is 
indeed the case. The copyright holder can then make use of a complaints or ob- 
jection procedure to challenge the assertion of fair use which can then lead to 
an adjudicatory role for the agency. This will be a precursor to court action if 
the matter has to be taken that far, but it can serve to remove many cases from 
court adjudication. 


4.5.3.2. Adjudicatory Determination of Fair Use Rights 


The procedural changes necessitated by fair use right were posited mainly in 
the context of the courts and civil procedure; but the functions relating to as- 
serting fair use can also be performed at an initial stage at low cost and more 


20 


speedily by an administrative agency, which can hear and decide on fair use ri- 
ghts assertions (e.g. provide a forum for a declaratory administrative judgment 
of fair use, which will serve to protect a user from a subsequent action for in- 
fringement or at least require the copyright holder to actively challenge the fa- 
irness of the use[61 ] or a ‘fair circumvention application’ procedure); and on 
user claims against copyright holders for failure to provide the means to per- 
form fair use (e.g. through a ‘notice and take down’ procedure) [62] compla- 
ints of an over-reaching DRM or abusive use of copy right, and so on. 


4.5.3.3. Oversight Body to Protect and Preserve Fair Use 


The French government has established an oversight body to protect and pre- 
serve fair use. On 6 April 200763] the French government put in place a re- 
gulatory body as a form of remedial measure to ensure that DRMs are 
compatible with copyright exceptions and do not, inadvertently or intentio- 
nally, prevent users of copyrighted works from fair use. This approach of using 
a national DRM watchdog bears monitoring with a view to transposition and 
implementation in other countries, and even provide the prototype/vanguard for 
an international watchdog, if it proves to be successful. The independent ad- 
ministrative agency known as the Autorité de Régulation des Mesures Techniques 
(Regulatory Authority for Technical Measures or ARMT) was a main feature 
of the new French copyright law (the DADVSI) that was passed in August 
200664] A supervisory role similar to that adopted by the regulatory body in- 
stituted in France can be put in place to actively oversee and ensure, even in 
the absence of complaint or dispute, that DRM are compatible with copyright 
exceptions and do not in any way prevent users of copyrighted works from fair 
use. The inspection can also be given bite if the legislation provides it with the 
ability to impose fines or even to suspend or take away protection in more se- 
rious cases. 


In the context of the Internet and other portals or network for the 
(largely) free exchange of information, we already see concessions and adap- 
tations made to the digital era under copyright law, particularly in relation to 
the release of personal copying and distribution rights. There are provisions 
made on duplication of digital work, (in particular information) such as over 
the Internet, in updated copyright laws of many countries in order to reconcile 
copyright protection with modern forms of electronic interaction. Hence, copy- 
ing as a function of the Internet is customarily; and legally, where statutorily 
provided, not considered an infringement. There should be additional guidance 
on what is considered fair use, particularly personal use in relation to paid pro- 
ducts or services in this context, if it is not already legislated; such as the bo- 
undaries of fairness relating to time, format and space-shifting (such as 


21 


recording a television program to watch at another time, ripping music from a 
Compact Disc to a computer digital player, the reformatting and transfer of 
music files between devices). It will also be useful to specify and clarify fre- 
edoms specifically for user-creators and UGC, such as the freedom to re-use 
for non-commercial purposes (e.g. automatic share-alike function, as the same 
freedoms will apply to similar subsequent re-uses). In this capacity, an oversi- 
ght agency can also help to remove the confusing distinctions between license 
types, perhaps through recommended templates for copyright holders and 
explanations of popular license terms for users with a view to the standardisa- 
tion of licenses to reduce proliferation of license permutations or variations 
and to educate users to better understand terms of agreement. Its work here 
can also have a recommendatory effect for future amendments to copyright le- 
gislation. 


4.5.3.4. Fair Contract and User-Consumer Protection Body 


Third parties with fair use rights should not be required to negotiate for that 
right when their activities satisfy the fair use analysis. “[A]n action to enforce 
a contractual limitation on fair use rights is equivalent to a copyright infringe- 
ment action against a particular party, because in such an action the copyright 
holder necessarily would argue for a more limited fair use right (to the point 
of complete absence of fair use), whereas the copyright infringer would argue 
for broader fair use rights.”[65] There should be some baseline user rights, si- 
milar to consumer rights that cannot be contracted out of. This is to counter the 
dangers of license proliferation. For example, for consumer use alone (which 
is only a component of fair use), fair use needs to be clearly defined to educate 
them on what are their rights in relation to their digital media in order to over- 
come the real and perceived restrictions on consumer limitations in the use of 
such digital media, which they have paid for. As a right and for public policy 
reasons, fair use rights should be inalienable particularly as a method of pro- 
tecting the more vulnerable party - the user-consumer, from the increasingly 
unfair contract and licensing terms offered by copyright holders. [66] Both a 
user-consumer protection body and some form of digital consumer protection 
legislation can be enacted to resolve the relationship between even more re- 
strictive private forms of protection with public interest in fair use and private 
user interests. 


22 


5. Conclusion 


Sometimes it is important to return to basics and revisit fundamental concepts 
in order to take stock and keep in check the changes to legal rules in order to 
ensure that they are theoretically and philosophically sound. This is especially 
important in a field, namely the intersection between IP and IT, that is pro- 
gressing rapidly and where the need to keep the law in pace with contextual 
changes is particularly compelling, but without sacrificing its main objectives. 
In an attempt to re-adjust the perceived imbalance created by technology aga- 
inst copyright holders, lawmakers have created more protective measures that 
have only served to perpetrate a copyright regime that is against the interests 
of society in general and other stakeholders including users, user-creators and 
technology innovators. In order to bring some balance back to the equation, we 
can look to the ever-useful open-ended fair use doctrine by elevating it to a 
right with a view to strengthening it as a counter weight to a currently stron- 
ger copyright protection regime. 


Notes 


[1] Pub. L. No. 105-298, 112 Stat. 2827 (1998), codified at 17 U.S.C. 302 (2000). 

[2] Christopher Jensen, The More Things Change, the More They Stay the Same: Copy- 
right, Digital Technology, and Social Norms, 56 Stan. L. Rev. 531 (2003). 

[3] See Stefan Bechtold, Digital Rights Management in the United States and Europe, 52 
Am. J. Comp. L. 323, 331 (2004). 


[4]The WIPO Copyright Treaty (WCT) (CRNR/DC/94 (23 December 1996)), and the 
WIPO Performances and Phonograms Treaty (WPPT) (CRNR/DC/95 (23 December 
1996)). See in particular articles 11 and 18 respectively of the WCT and the WPPT re- 
spectively. 

[5] See e.g. Directive 2001/29/EC (2001 O.J. (L167/10)) of the European Parliament and 
of the European Council of 22 May 2001 concerning the harmonization of certain aspects 
of copyright and related rights in the information society (the EU Copyright Directive), 
and the Digital Millennium Copyright Act (DMCA) amendments to the U.S. Copyright 
Act Title 17 U.S.C. 1201 (Pub. L. No. 105-304, 112 Stat. 2860, codified at 17 U.S.C. 1201- 
1205 (Supp. IV 1998). See also, Stephen E. Blythe, The U.S. Digital Millennium Copy- 
right Act and the E.U. Copyright Directive: Comparative Impact on Fair Use Rights, 8 
Tul. J. Tech. & Intell. Prop. 111 (2006). 

[6] See Anne Hiaring, Whats New in the Neighborhood - The Export of the DMCA In Post- 
TRIPs FTAs, 11 Ann. Surv. Int’l & Comp. L. 171, 173 (2005). See also, Karen Gettens, 
Copyright Amendments under USFTA - Implications for Your Business, 8(8) IHC 91 (2005); 
Maurice Gonsalves, Copyright in Australia after the AUSFTA Amendments: An Overview 
of Enforcement of Copyright; 23(3) CopyReptr 72 (2005); Sacha Wunsch-Vincent, The 
Digital Trade Agenda of the U.S.: Parallel Tracks of Bilateral, Regional and Multilateral 
Liberalization, 58 Aussenwirtschaft 7 (2003). 


[7] The Cybercrime Convention is available at: http://conventions.coe.int/Treaty/EN/ 


23 








Treaties/Html/185.htm. See article 2 on illegal access, article 3 on illegal interception 
and article 6 on the misuse of devices. 

[8] See Ryan M.F. Baron, A Critique of the International Cybercrime Treaty, 10 CommLaw 
Conspectus 263 (2002). 

[9] See U.S. Department of Justice, Russian National Enters into Agreement with the United 
States on First Digital (USDOJ, 13 December 2001), available at: http://www.cyber- 
crime.gov/sklyarovA gree.htm (U.S. v. Elcomsoft and Sklyarov). See also, MGM v. 321 Stu- 
dios, Universal v. Corley and Felten v. RIAA, available at: http://www.eff.org/IP/DMCA/. 
See also, Jonathan Band and Taro Issihiki, The New Anti-Circumvention Provisions in the 
Copyright Act: A Flawed First Step, 3 Cyber. Law (1999) at page 2. 

[10] See Cassandra Imfeld, Playing Fair with Fair Use? The Digital Millennium Copyright 
Acts Impact on Encryption Researchers and Academicians, 8 Comm. L. & Pol’y 111 
(2003). 

[11][1988] 2 All ER 484. 

[12]464 U.S. 417 (1984). 

[13] See Randal C. Picker, Digital Rights Management: Mistrust-Based Digital Rights 
Management, 5 J. on Telecomm. & High Tech. L. 47, 59 (2006); Matt Jackson, Using 
Technology to Circumvent the Law: The DMCA’ Push to Privatize Copyright, 23 Hast- 
ings Comm. & Ent. L.J. 607, 608 (2003); Lawrence Lessig, Free Culture: How Big Media 
Uses Technology and the Law to Lock Down Culture and Control Creativity 227, 160 (Pen- 
guin Press, 2004). 

[14] See Lewis Krauskopf and Gavin Haycock, Music Industry Wins Song-Download Case 
(Reuters, 5 October 2007), available at: http://www.reuters.com/article/ top- 
News/idUSN0539430420071005. 

[15] Pub. L. No. 105-147, 111 Stat. 2678, codified as amended in various sections of 17 and 
18 U.S.C. (2000). 

[16] E.g. acts of circumvention and the trafficking in such technology relating to copy- 
righted works. See 17 U.S.C. 1204. 

[17] See Geraldine Szott Moohr, The Crime of Copyright Infringement: An Inquiry Based 
on Morality, Harm and Criminal Theory, 83 B.U.L. Rev. 731, 737 n.13-14 (2003). 

[18] Pub. L. No. 98-620, 98 Stat. 3347, codified as amended at 17 U.S.C. 901-914 (2000). 
[19] Pub. L. No. 104-39, 109 Stat. 336, codified as amended at 17 U.S.C. 106(6) (2000). 
[20] See e.g., Jane C. Ginsburg, Copyright Legislation for the Digital Millennium, 23 
Colum.-VLA J.L. & Arts 137, 140-143 (1999). 

[21] See Dan L. Burk, Anticircumvention Misuse, 50 UCLA L. Rev. 1095, 1109 & 1095 
(2003). 

[22] Black’s Law Dictionary 634 (8th ed. 2004). 

[23] See Eldred v. Ashcroft, 123 S. Ct. 769 (2003). 

[24] See Nicholas B. Lewis, Shades Of Grey: Can the Copyright Fair Use Defense Adapt 
to New Re-Contextualized Forms of Music and Art?, 55 Am. U.L. Rev. 267 (2005); John 
Tehranian, Whither Copyright? Transformative Use, Free Speech, and an Intermediate Li- 
ability Proposal, B.Y.U.L. Rev. 1201 (2005); Tracey Topper Gonzalez, Distinguishing The 
Derivative From the Transformative: Expanding Market-Based Inquiries in Fair Use, 21 
Cardozo Arts & Ent LJ 229 (2003); and Matthew D. Bunker, Eroding Fair Use: The 
“Transformative” Use Doctrine After Campbell, 7 Comm. L. & Pol’y 1 (2002). The trans- 


24 


formative use test has been applied in the context of the factor analysis in U.S. cases. See 
e.g., Kelly v. Arriba Soft Corporation, 311 F.3d 811 (9th Cir. 2003). 

[25]See Ruth Okediji, Givers, Takers, and Other Kinds of Users: A Fair Use Doctrine for 
Cyberspace, 53 Fla. L. Rev. 107 (2001). 

[26] See Jessica Litman, Frontiers of Intellectual Property: Lawful Personal Use, 85 Tex. 
L. Rev. 1871 (2007). 

[27] See Michael J. Madison, Rewriting Fair Use and the Future of Copyright Reform, 23 
Cardozo Arts & Ent LJ 391, 393-394 (2005). 


[28] See Derek J. Schaffner, The Digital Millennium Copyright Act: Overextension of 
Copyright Protection and the Unintended Chilling Effects on Fair Use, Free Speech, and 
Innovation, 14 Cornell J. L. & Pub. Pol’y 145 (2004); Laura J. Robinson, Anticircumven- 
tion Under the Digital Millennium Copyright Act, 85 J. Pat. & Trademark Off. Soc’y 957 
(2003); Jeffrey D. Sullivan and Thomas M. Morrow, Practicing Reverse Engineering in an 
Era of Growing Constraints under the Digital Millennium Copyright Act and Other Provi- 
sions, 14 Alb. L.J. Sci. & Tech. 1, 32 (2003); Pete Singer, Mounting A Fair Use Defense 
to the Anti-Circumvention Provisions of the Digital Millennium Copyright Act, 28 Day- 
ton L. Rev. 111, 123-126 (2002). 

[29] See John R. Therien, Exorcising the Specter of a “Pay-Per-Use” Society: Toward Pre- 
serving Fair Use and the Public Domain in the Digital Age, 16 Berkeley Tech. L.J. 979 
(2001). 

[30][2002] SCC 34, [2002] 2 S.C.R. 336. 

[31] bid. at para. 32 of the judgment. 


[32]2004 SCC 13, [2004] 1 S.C.R. 339. See Parveen Esmail, CCH Canadian Ltd. v. Law 
Society of Upper Canada: Case Comment on a Landmark Copyright Case, 10 Appeal 13, 
18-20 (2005). 

[33] Ibid. at para. 48 of the judgment. See David Vaver, Copyright Law (Irwin Law, 2000) 
at p. 171. 

[34] See Ruth Okediji, Toward an International Fair Use Doctrine, 39 Colum. J. 
Transnat’l L. 75 (2000). 

[35] See Michael J. Madison, Rewriting Fair Use and the Future of Copyright Reform, 23 
Cardozo Arts & Ent LJ 391, 416 (2005). 

[36]464 U.S. 417 (1984). Videotaping of copyrighted television programs was fair use 
(“time-shifting”). 
[37]180 F.3d 1072, 1079 (9th Cir. 1999), where “space- shifting”, defined as the process of 
transferring content from one medium to another, was upheld as a fair use. Note also the 
Audio Home Recording Act, 17 U.S.C. 1008 (2000). 

[38] See Victor F. Calaba, Quibbles ‘n Bits: Making a Digital First Sale Doctrine Feasi- 
ble, 9 Mich. Telecomm. Tech. L. Rev. 1 (2002); and Justin Graham, Preserving the After- 
market in Copyrighted Works: Adapting the First Sale Doctrine to the Emerging 
Technological Landscape, Stan. Tech. L. Rev. 1 (2002). 

[39] See generally, Kenneth Campbell, Legal Rights (Stanford Encyclopedia of Philosophy, 
2005), available at: http://plato.stanford.edu/entries/legal-rights/. 

[40] See generally, Leif Wenar, Rights (Stanford Encyclopedia of Philosophy, 2005), avail- 
able at: http://plato.stanford.edu/entries/rights/. See also, H. J. McCloskey, Rights, The Philo- 
sophical Quarterly, Vol. 15, No. 59 (1965) at pages 115-127, citing “rights as entitlements”. 


25 


[41] See e.g., Alan R. White, Rights (Oxford: Basil Blackwell, 1984). 


[42] See e.g., Ronald M. Dworkin, Law's Empire (London: Fontana, 1986); Ronald M. 
Dworkin, A Matter of Principle (Oxford: Clarendon Press, 1985); Ronald M. Dworkin, 
Taking Rights Seriously (London: Duckworth, 1978). 


[43] See William E. Scheuerman, Between the Norm and the Exception: The Frankfurt 
School and the Rule of Law (MIT Press, 1997). 


[44] See the Executive Summary to National Research Council, The Digital Dilemma: In- 
tellectual property in the Information Age (National Academies Press (2000)), available at: 
http://books.nap.edu/html/digital_dilemma/exec_summ.html#FOOTI, at n1. 


[45][2004] 1 S.C.R. 339, 2004 SCC 13. 


[46] Ben Fernandez, Digital Content Protection and Fair Use: What’s the Use?, 3 J. on 
Telecomm. & High Tech. L. 425, 443 (2005). 


[47] See Anon., Private Copy Explained By Court of Appeal in Paris (EDRI-Gram, 12 
April 2007), available at: http://www.edri.org/edrigram/numberS.7/private-copy-france. 


[48] See David Lyons, Utility and Rights, in Ethics, Economics, and the Law: Nomos XXIV 
107, 109 (J. Roland Pennock & John W. Chapman eds., 1982), cited in Joe Mintoff, Pref- 
erences and Rational Choice: New Perspectives and Legal Implications: Can Utilitarianism 
Justify Legal Rights with Moral Force?, 151 U. Pa. L. Rev. 887, 888 (2003). 


[49] See SunTrust Bank v. Houghton-Mifflin Co. 268 F.3d 1257, 1260 n.3 (11th Cir. 2001). 
[50] Campbell v. Acuff-Rose Music, 510 U.S. 569, 578 (1994). 


[51] See Jacqueline D. Lipton, Solving the Digital Piracy Puzzle: Disaggregating Fair Use 
from the DMCA’s Anti-Device Provisions, 19 Harv. J. Law & Tec 111 (2005). 


[52] See Dan L. Burk & Julie E. Cohen, Fair Use Infrastructure for Rights Management 
Systems, 15 Harv. J.L. & Tech. 41 (2001). See also, Pete Singer, Mounting A Fair Use De- 
Jense to the Anti-Circumvention Provisions of the Digital Millenium Copyright Act, 28 Day- 
ton L. Rev. 111 (2002). 


[53] See Tricia J. Sadd, Fair Use as a Defense Under the Digital Millennium Copyright 
Act’s Anti-Circumvention Provisions, 10 Geo. Mason L. Rev. 321 (2001). 


[54] See Llewellyn Joseph Gibbons, Entrepreneurial Copyright Fair Use: Let the Inde- 
pendent Contractor Stand in the Shoes of the User, 57 Ark. L. Rev. 539, 551-557 (2004). 


[55] Under current law, the copyright holder need only prove ownership of a valid and ex- 
isting copyright and that the defendant exercised one of the exclusive rights with respect 
to the work. See Castle Rock Entm't, Inc. v. Carol Publ’g Group, Inc., 150 F.3d 132, 137 
(2d Cir. 1998). 


[56] It is then for the defendant to prove fair use as an affirmative defense. See Harper & 
Row, Publishers, Inc. v. Nation Enters., 471 U.S. 539, 561 (1985); Campbell v. Acuff-Rose 
Music, Inc., 510 U.S. 569, 590 (1994); Video Pipeline, Inc. v. Buena Vista Home Entm 4, 
Inc., 342 F.3d 191, 197 (3d Cir. 2003). 


[57] See Sony Corp. v. Universal City Studios, 464 U.S. 417, 451 (1984). See also, Con- 
sumers Union of United States, Inc. v. New Regina Corp., 664 F. Supp. 753, 763 (S.D.N.Y. 
1987); United Feature Syndicate, Inc. v. Koons, 817 F. Supp. 370, 382 (S.D.N.Y. 1993); Tin 
Pan Apple, Inc. v. Miller Brewing Co., 737 F. Supp. 826, 832 (S.D.N.Y. 1990); Pillsbury v. 
Milky Way Prods., Inc., 8 Media L. Rep. 1016 (N. Ga. 1981); Harper & Row, Publishers, 
Inc. v. Nation Enterprises, 471 U.S. 539 (1985). 


[58] Kenneth D. Crews, Fair Use of Unpublished Works: Burdens of Proof and the In- 
tegrity of Copyright, 31 Ariz. St. L.J. 1 (1999). 


26 








[59] See e.g., Lord Denning MR’s observation in Hubbard v. Vosper, [1972] 2 QB 84 at 
page 94. 

[60] See JuNelle Harris, Beyond Fair Use: Expanding Copyright Misuse to Protect Digital 
Free Speech, 13 Tex. Intell. Prop. L.J. 83 (2004). 

[61] See Michael W. Carroll, Fixing Fair Use, 85 N.CLL. Rev. 1087, 1091 (2007). The 
writer, in describing his proposal of a Fair Use Board, talks about giving fair use a “fair 
chance”. 

[62] See e.g., the Copyright Amendment (Digital Agenda) Act of 2000 to the Australian 
Copyright Act, which allows the recipient of a device or service to make a written decla- 
ration that it is used for a ‘permitted purpose’.” See also, Alex Colangelo, Copyright In- 
fringement in the Internet Era: The Challenge of MP3s, 39 Alberta L. Rev. 891 (2002). 
[63] See Décret n° 2007-510 du 4 avril 2007 relatif à l’ Autorité de régulation des mesures 
techniques instituée par article L. 331-17 du code de la propriété intellectuelle 

[64] See Loi n° 2006-961 du ler août 2006 relative au droit d’auteur et aux droits voisins 
dans la société de I’information ; parue au JO n° 178 du 3 août 2006, page 11529. See also, 
Nicolas Jondet, DRM Watchdog Established in France (French-Law.net, 11 April 2007), 
available at: http://french- 
law.net/index.php?option=com_content&task=view&id=37 &ltemid=1; and Nicolas Jon- 
det, La France v. Apple: Who 5 the DADVSI in DRMs? (2006) 3:4 SCRIPT-ed 473, available 
at: http://www.law.ed.ac.uk/ahre/script-ed/vol3-4/jondet.asp. 


[65] Eric Douma, The Uniform Computer Information Transactions Act and the Issue of 
Preemption of Contractual Provisions Prohibiting Reverse Engineering, Disassembly, or 
Decompilation, 11 Alb. L.J. Sci. & Tech. 249, 259 (2001). 


[66] See Maureen A. O’Rourke, Drawing the Boundary Between Copyright and Contract: 
Copyright Preemption of Software License Terms, 45 Duke L.J. 479 (1995). 


27 











International Private Law Issues regarding Trademark 
Protection 
and the Internet within the EU 


Zuzana Slovakova 


Senior Lecturer 
Commercial Law Department 
Faculty of Law of the Charles University, Prague, the Czech Republic 
slovakov@prf.cuni.cz 


- Abstract. Given the global nature of the Interest, online trade- 
mark infringements always involve multiple territories. When any liti- 
gation is brought, it is necessary to determine the relevant jurisdiction 
and applicable law and then to resolve various issues in the recognition 
and enforcement of foreign judgments. In resolving these questions, co- 
urts will proceed according to their own international private law regu- 
lations, which may differ considerably from state to state. 
Internet-related cases always have the additional complication that it is 
extremely difficult to determine with reasonable certainty the court with 
jurisdiction and the applicable law. Over the years, the legal frameworks 
on civil court jurisdiction have been unified somewhat on a European 
scale. Courts in the EU must currently proceed according to Community 
law, particularly the Brussels I Regulation and, in the near future, the 
Rome II Regulation. 


1. Introduction 


This submission [1] deals with selected issues in international private law con- 
cerning trademark right protection and the Internet in the European Union. [2] 
The establishment of the Internet continues to generate major commercial op- 
portunities in fields including advertising and product offers and services. 
These lucrative applications of the Internet have been accompanied by a num- 
ber of intellectual property problems occurring not only in the area of trade- 
mark rights protection, but of intellectual property protection more generally. 
Various disputes have arisen regarding the use of trademarks on the Internet 
where different entities are the owners of identical or similar trademarks for 
identical or similar goods or services in different countries. Similarly, disputes 
have unfolded in cases where one entity’s trademark conflicts with an existing 
domain name, commercial name, or other designation. 


Like all intellectual property rights, trademark rights are based on the princi- 
ple of territoriality. Trademarks are protected in individual states, or, as the 
case may be, on a regional basis (e.g. as Community trade marks), but never 
on a global scale. Territorial restrictions on intellectual property rights drove the 


29 


development of international intellectual property law beginning at the end of 
the 19" century. These efforts sought to improve the international protection of 
intellectual property rights. Nevertheless, not even these steps have yet man- 
aged to alter the territorially limited nature of intellectual property. 


At present, the main source of international law related to industrial property 
rights, including also trademark rights, is the Paris Convention for the Protec- 
tion of Industrial Property (the “Paris Convention”). [3] According to the Paris 
Convention, each country of the Paris Convention must grant the nationals of 
other countries the same protection afforded to its own nationals, i.e. the pro- 
tection of domestic law (the national legal system), provided that all condi- 
tions and formalities imposed upon its own nationals have been observed. [4] 
In addition, the Paris Convention prescribes that each country must grant the 
nationals of all other countries certain minimal rights, irrespective of its own 
national law, i.e. even where these rights are not extended to its own nationals 
(iura ex conventione), for example, in the area of priority rights. [5] Other ef- 
fective international treaties on trademarks include the Madrid Agreement Con- 
cerning the International Registration of Marks, and the Protocol Relating to 
the Madrid Agreement Concerning the International Registration of Marks or 
the Trademark Law Treaty. [6] Nevertheless, the fact remains that with the ex- 
ception of certain direct rules on the iura ex conventione principle and the sta- 
tus of other countries, no unified substantive law on national trademarks has yet 
been established among the countries of the above-mentioned international 
treaties.[7] This situation can be contrasted somewhat with the regulation of 
Community trade marks, where the substantive laws set out in Council Regu- 
lation (EC) No 40/94 of December 20, 1993 on the Community Trade Mark, 
are uniform and directly binding throughout the entire territory of the EU. 


Where trademark infringement litigation involving the Internet concerns more 
than one state, then, as in any private legal relationship with an international 
element, it is necessary to resolve a number of key issues. These problems 
cover the determination of both jurisdiction, i.e. the state whose court is enti- 
tled to deliver a judgment on the merits and the applicable law as well as var- 
ious issues in the recognition and enforcement of foreign judgments. 
International private law decides these matters in most cases on the basis of ter- 
ritorially connecting factors, such as the domicile of a person, the place of reg- 
istration of an industrial property right, or the place of infringement. 
Nevertheless, due to the global nature of the Internet, it has become increas- 
ingly difficult to apply territorially connecting factors and to determine with 
reasonable certainty which court will have jurisdiction and which laws will 


apply. [8] 


30 


2. Jurisdiction 


Each state and its legal system is essentially responsible for determining the 
court with jurisdiction to decide on matters with an international element, even 
where these issues are also the subject of international treaties. When resolv- 
ing this question, courts proceed according to their own international private 
law regulations, which may differ considerably from state to state. 


On a European scale, the legal frameworks covering civil court jurisdiction 
have been unified to some extent over the years. This has occurred primarily 
through the conclusion of international treaties, including the Brussels Con- 
vention on Jurisdiction and the Enforcement of Judgments in Civil and Com- 
mercial Matters, adopted in Brussels on September 27, 1968 (the “Brussels 
Convention”) and the Lugano Convention on Jurisdiction and the Enforcement 
of Judgments in Civil and Commercial Matters, adopted in Lugano on Sep- 
tember 16, 1988 (the “Lugano Convention“). 


The Brussels Convention was subsequently adapted for EC member states in 
the form of Council Regulation (EC) No 44/2001lof 22 December, 2000 on Ju- 
risdiction and the Recognition and Enforcement of Judgments in Civil and 
Commercial Matters [9] (the “Brussels I Regulation” or the “Regulation”).[10] 
The Lugano Convention, concluded among the member states of the EC and 
Iceland, Norway and Switzerland, effectively extended the application of the 
Brussels Convention to these EFTA members, which, as non-EC states, had 
not been party to the earlier treaty. 


In recent years, it has proven necessary to adapt the rules under the Lugano 
Convention on jurisdiction and judgment recognition and enforcement in civil 
and commercial matters so that they correspond with the parallel regulation 
under the Brussels I Regulation. This harmonisation should ensure that court 
proceedings are handled and directed in the same manner by EC member states 
and the EFTA states. [11] A new Convention on the Recognition and Enforce- 
ment of Judgments in Civil and Commercial Matters [12] (the “Lugano Con- 
vention II‘) has therefore been signed to replace the Lugano Convention. The 
application of the Brussels I Regulation will not be influenced by this treaty. 
[13] 

The relationship between the Brussels I Regulation and the bilateral interna- 
tional conventions and treaty listed in its Article 69 has been resolved so that 
in any matters addressed by the Regulation, it supersedes these conventions 
and the treaty. [14] These conventions and treaty therefore continue to govern 
any issues not dealt with in the Regulation. The Regulation’s relationship with 
national law is set out in Article 249 paragraph 2 of the Treaty establishing the 


31 


European Community, [15] which states that the Regulation shall have gen- 
eral force and will be binding in its entirety and directly applicable in all mem- 
ber states. Any national regulations that conflict with the Regulation are 
rendered ineffective as a result of its priority. Issues not contemplated by the 
Regulation are naturally to be assessed from the standpoint of national law. 


The Brussels I Regulation unifies the international procedural law valid for 
EU member states. These rules take priority over the international private law 
regulations of individual states. Turning to the provisions on determining in- 
ternational jurisdiction, the Brussels I Regulation distinguishes general rules of 
jurisdiction and cases of exclusive jurisdiction, special jurisdiction, and juris- 
diction based on the agreement of the parties. [16] According to the general 
rules, persons domiciled in a member state shall be sued in the courts of that 
member state, irrespective of their nationality.[17] For legal persons, the place 
of domicile is deemed to be the location of their statutory seat, central admin- 
istration, or principal place of business. [18] Under the Regulation, persons re- 
siding in one member state may be sued in the courts of another member state 
only if the nature of the disputed matter or the agreement of the parties justi- 
fies this measure. [19] If the defendant is not domiciled in a member state, it 
is generally a matter of the law of each member state whether its courts have 
jurisdiction to hear a particular case. [20] According to the Brussels I Regula- 
tion, courts in the local jurisdiction shall be governed by the laws of their own 
member state, unless this local court has jurisdiction based on the special ju- 
risdiction rules (see below). 


The rules on exclusive jurisdiction in international cases do not apply to liti- 
gation on trademark infringement caused by use of the Internet. [21] Such In- 
ternet-related litigation may, however, be affected by the rules of special 
jurisdiction, which state that in matters of tort, delict or quasi-delict, persons 
residing in a member state must be sued in the courts of the place where the 
harmful event occurred or may occur (Art. 5 (3) of the Brussels I Regulation). 
According to this provision, these courts have special competence in cases of 
litigation arising from a tort, delict or quasi-delict. These special jurisdiction 
rules reflect the principle that persons harmed by injurious conduct should not 
be forced to sue in the place of domicile of the defendant, which might be out- 
side the state where the harmful event occurred. [22] This concept applies 
solely in these cases of tort, delict or quasi-delict resulting in a harmful event 
or at least in the possibility of such an event. For this reason, the relevant court 
jurisdiction is determined as the place of the harmful event. Nevertheless, the 
availability to the plaintiff of this or any other special jurisdiction rule does not 
exclude the option of applying the general rules on international jurisdiction, 
as described above. In these situations, it therefore always remains possible to 


32 


sue a person in the place of its domicile, and selection of the competent court 
remains at the discretion of the plaintiff. 


The case law of the European Court of Justice, including earlier decisions on 
the identical article of the earlier Brussels Convention, [23] provides useful 
guidance in the interpretation of the terms of Article 5 paragraph 3 of the Brus- 
sels I Regulation. Concerning the wording “matters related to tort, delict or 
quasi-delict”, the European Court of Justice ruled in its judgment C-189/87, 
Athanasios Kalfelis v Bankhaus Schréder, Miinchmeyer, Hengst and Co. and 
others, dated September 27, 1988, that this expression must be regarded as an 
independent construction covering all legal actions seeking to establish the li- 
ability of a defendant that were not contractually related within the meaning of 
Article 5 paragraph 1 of the Regulation. The issue of the real or potential place 
of occurrence of a harmful event had previously been addressed in the Euro- 
pean Court of Justice judgment C-21/76, Handelskwekerij G. J. Bier BV v 
Mines de Potasse d’Alsace SA of November 30, 1976. The court found in that 
case that the expression “place where the harmful event occurred” must be un- 
derstood as intended to cover both the place where the damage occurred and 
the place of the event triggering such damage. In consequence, the defendant 
could be sued, at the plaintiff’s discretion, either in the courts of the place where 
the damage had occurred or those of the place of the event which had triggered 
and been the source of the damage. The plaintiff should be permitted to choose 
the place of the suit, particularly since it had not caused the litigious event and 
so should be granted “an advantage” in bringing the litigation. In the judgment 
C-168/02, Rudolf Kronhofer v Marianne Maier, Christian Möller, Wirich Ho- 
rius, Zeki Karan, dated June 10, 2004, the expression “place where the harm- 
ful event occurred” was held not to refer to the place where the claimant was 
domiciled or where “his assets are concentrated” by reason of the fact that he 
had only suffered financial damage in that place of domicile as a result of the 
loss of part of his assets which had arisen and been incurred in another “Con- 
tracting State”. 


In proceedings involving Community trademark infringement through Internet 
usage, the rules of the Brussels I Regulation are applicable, unless Council 
Regulation (EC) No 40/94 of December 20, 1993 on Community Trade Marks 
(“CTMR”) stipulates otherwise. On this basis, various provisions including the 
general provisions (Art. 2) and rules on special jurisdiction (Art. 5 (3)) under 
the Brussels I Regulation do not apply in these situations. [24] In point of fact, 
the action of infringement should be heard by the European Court of Justice, 
however this court has no jurisdiction in civil disputes between private subjects. 
CTMR therefore delegates the enforcement of Community trademark rights to 
national courts. Each member state is obliged to designate as limited a number 


33 


as possible of national courts and tribunals of first and second instance (‘Com- 
munity trade mark courts’) in its territory which shall perform the role assigned 
to them under the CTMR. [25] These Community trade mark courts have ex- 
clusive jurisdiction for all actions concerning infringement or threatened in- 
fringement (if such threatened infringement actions are permitted under 
national law) that relate to Community trade marks. [26] In principle, the ju- 
risdiction of the Community trade mark courts is based on the place of domi- 
cile of one of the parties. [27] If it is impossible to determine the jurisdiction 
in this manner, these proceedings must be brought in the courts of the member 
state where the Office for Harmonisation in the Internal Market has its regis- 
tered office, i.e. in Spain. [28] The CTMR also allows for the parties’ own 
agreement on the applicable jurisdiction in their case, as well as the appearance 
of the defendant before a different Community trade mark court. [29] Finally, 
Community trade mark courts have jurisdiction concerning any acts of in- 
fringement carried out or threatened inside the territory of any member state. 
[30] The jurisdiction of these courts is, thus, extended to the entire territory of 
the EU. [31] 


When an infringement of trademark rights occurs through the use of a trade- 
mark or other sign on the Internet, the principal question which arises is where 
the infringement has occurred, i.e. how to connect the Internet-related in- 
fringement with the jurisdiction of a particular court. It may be the case that for 
a single instance of trademark infringement over the Internet, the jurisdiction 
of more than one state applies. If the place of the infringement is not only the 
place of its occurrence, but also the place of the event, which gave rise to it, the 
plaintiff will be entitled to choose from several jurisdictions according to the 
one which seems most advantageous to its action. This practice of choosing be- 
tween jurisdictions is commonly called court or forum shopping. Depending on 
the place where the litigation is heard, different conflict of laws rules will de- 
termine the governing law, and these rules may also treat the same legal rela- 
tionship variously. In these circumstances, a wide range of substantive laws 
may be applied across the states, leading to very different litigation results. 
[32] If the plaintiff is allowed to bring multiple actions at one time (e.g. a claim 
based in trademark law as well as one for unfair competition), then individual 
claims may even be brought before different courts in this situation. A single 
infringement may, thus, become the object of several simultaneous proceedings 
in different states. The lis pendens rules under Art. 27 of the Brussels I Regu- 
lation will not apply in this case since the plaintiff will argue that unrelated 
legal rights have been infringed. [33] 


The case of SG 2 v. Brokat informationssysteme GmbH [34] clearly illustrates 
the wide range of interpretations of the term “the place where the harmful event 


34 


occurred” that have been applied by European courts. This case concerned a 
German company which owned the registered trademark “payline” in Ger- 
many for the “Brokat-payline” Internet payment system used on its website: 
www.brokat.de. A French company was the owner of a prior “payline” trade- 
mark issued in France and covering identical services. This French plaintiff 
sought an injunction against the allegedly infringing use of its registered French 
trademark on the German website. The defendant had never sold its products 
in France and used the trademark solely on the German site. The defendant 
contested the French court’s international jurisdiction with respect to the re- 
quested global prohibition on use of the trademark, arguing that such a prohi- 
bition might only, and at very best, be issued by a German court. In its 
judgment, the French court declared its jurisdiction over the German defen- 
dant under Article 5 (3) of the Brussels Convention. The court held, in partic- 
ular, that the defendant’s website was globally accessible, and, thus, the place 
where the harmful event occurred included French territory. On this basis, an 
injunction was issued against Internet use of the trademark obliging the de- 
fendant to cease using the “payline” trademark in France in any manner, and 
hence also, and in particular, on the Internet. 


Given the Internet context of the infringement, the injunction in the Brokat 
case was territorially unlimited since otherwise the French trademark owner’s 
rights would be infringed continually. This finding has since been queried by 
legal theorists who argue that applying this expansive interpretation is not an 
appropriate way of resolving trademark disputes involving the Internet. [35] If 
the place where the harmful event occurs is viewed as the territory ofany state 
where the data can be downloaded to a computer and subsequently displayed, 
then, these theorists contend, this location will potentially include every coun- 
try in the world. In such case, a large number of companies will no longer be 
able to use the Internet for commercial purposes. 


The case of SG 2 v. Brokat informationssysteme GmbH may be seen as a rather 
extreme instance. Nevertheless, it points to the absence at present — and most 
likely in the foreseeable future - of any universal system for determining the 
place of a harmful event in these situations. If trademark rights are infringed 
through Internet usage, then even a relatively simple harmful event may lead 
to very complex legal problems concerning the establishment of jurisdiction 
and consequently of applicable law. 


3. Applicable law 


The conferment of jurisdiction, i.e. the determination of the court competent to 
decide the case on the merits, represents only the initial barrier in handling any 
litigation on online trademark infringement which has an international ele- 


35 


ment. A secondary, but also troublesome issue concerns the applicable law, i.e. 
the binding substantive regulations, which should be applied in these situa- 
tions. The choice of this law is a matter for the court delivering the judgment 
on the merits. In determining the governing regulations, this court will pro- 
ceed according to the international private law of its legal system. In the case 
of trademark infringement through Internet use, the applicable law must be set 
on the basis of the territorially connecting factors under the conflict of law 
rules governing the obligations arising from such delict. 


As discussed in the previous section, the jurisdiction and governing law issues 
remain to some degree connected in many situations of this type. In particular, 
if litigation in two or more jurisdictions is possible because an online trademark 
infringement has occurred in several states, the plaintiff will choose to file in 
whichever jurisdiction offers the most advantageous conditions for its suit. 
When selecting the state in which to launch the action, it will, thus, look to the 
particular conflict of laws rules of that state, i.e. the rules that determine the 
governing law. Depending on the state selected, such rules may also classify the 
plaintiff's relationship with the defendant in diverse and even opposed ways. 


A further development at a Community level has seen the recent adoption of 
regulations concerning the governing law for non-contractual obligations. This 
Regulation (EC) No 864/2007 on Laws Applicable to Non-contractual Obli- 
gations (Rome II) dated July 11, 2007 (the “Rome II Regulation”) [36] will 
take effect from January 11, 2009 [37]. It applies specifically to non-contrac- 
tual obligations in civil and commercial situations involving conflicts of laws. 
Any tule specified in the Rome II Regulation will need to be applied by mem- 
ber states, irrespective of whether it corresponds with their state laws. Signif- 
icantly, the new law includes express and binding provisions on 
non-contractual obligations arising from the infringement of intellectual prop- 
erty rights [38]. The infringement of an intellectual property right, including a 
trademark right, shall be governed by the law of the country in which protec- 
tion is claimed (lex loci protectonis). Where trademark rights are infringed, 
any resulting issue not regulated by the CTMR will be governed by the law of 
the country where the violation took place. The parties may not deviate from 
this applicable law based on a separate agreement on the choice of law. 


At an EU level, the various claims, mechanisms, and remedies available to par- 
ties have their basis in European Parliament and Council Directive 2004/48/EC 
on the Enforcement of Intellectual Property Rights dated April 29, 2004 [39] 
(the “Directive”). The Directive sets out measures, procedures, and remedies 
for the due enforcement of intellectual property rights among the member states 
of the EU. [40] Member states shall construe their own laws in accordance with 


36 


this Community instrument and its established interpretation. Under the Direc- 
tive, member states must maintain a competent court (the “Court”) that will: (i) 
take prompt and effective provisional steps to preserve all relevant evidence, (ii) 
issue interlocutory injunctions against imminent infringements of intellectual 
property rights, and (iii) prevent the continuation of any alleged infringements of 
these rights. [41] This Court may order that an infringing party and/or any other 
person furnish information about the source and distribution networks of any 
goods or services infringing intellectual property rights. [42] 


In addition, the Directive sets out specific prohibitive actions which the Court 
may implement according to its decision on the merits, i.e. corrective orders, 
injunctions, and alternative measures. In enforcing corrective orders, the Court 
may demand, at the request of the plaintiff that appropriate steps be taken to 
dispose of the goods, tools, and materials used principally for the creation or 
manufacture of goods infringing intellectual property rights. [43] Such meas- 
ures include the recall of these items from the channels of commerce, their def- 
inite removal from these channels, and their destruction, all to be accomplished 
principally at the expense of the infringer. If the Court holds that an intellec- 
tual property right has been violated, it may impose an injunction on the in- 
fringing party prohibiting the continuation of the infringement. [44] 
Furthermore, the Court may be authorised by the member state to order alter- 
native measures in appropriate cases at the request of the infringing party. In 
these cases, the Court may order the infringing party to pay financial compen- 
sation to the injured party in lieu of the various corrective orders and injunc- 
tions described in this paragraph. 


In addition to these measures, the Directive states that member states must en- 
sure that, if so requested by the injury party, the Court can instruct the in- 
fringing party to pay this person damages appropriate to the actual harm he/it 
suffered as a result of the infringement. [45] In the alternative, these damages 
may be set as a lump sum based on factors including at least the amount of 
royalties or fees applicable. The member state must also ensure that, if the in- 
jured party so requests, the Court is able to order appropriate measures to dis- 
seminate information concerning the decision, (including the display and 
publication of the decision), which should be financed by the infringing party. 
[46] 

The Directive stipulates expressly that its aim is not to establish harmonised 
rules on judicial cooperation, jurisdiction, or the recognition and enforcement 
of decisions in civil and commercial matters. Furthermore, it is not intended to 
deal with the matter of applicable law. [47] 


37 


4. Judgment Recognition and Enforcement 


Generally, the recognition and enforcement of judgments by the courts of dif- 
ferent states depends largely on the participation in a special international treaty 
of both the state where the judgement was issued and the state where it shall 
be recognised and enforced. In addition, the reciprocity principle must be ob- 
served wherever the recognition and enforcement of a foreign court judgment 
is concerned. 


From a global standpoint, the most general international treaty in the area of 
civil procedural law is the Convention on Civil Procedure, which was con- 
cluded on 1 March 1, 1954 at the Hague (the “Convention”). This instrument 
regulates, inter alia, fundamental issues in the co-operation of the various 
courts of its member states. With respect to the EU member states, it is worth 
noting that the Convention remains unaffected by the Community law. Ac- 
cording to Article 71 paragraph 1 of the Brussels I Regulation, the Convention 
is rather an instrument to which these member states are parties and which also 
governs certain matters related to governing jurisdiction and judgment recog- 
nition and enforcement. For this reason, all EU member states remain subject 
to the Convention even where decisions thereunder relate to a subject matter, 
time limit, and local jurisdiction also covered by Community law. At the same 
time, the Convention does not exert exclusive force on its participants. As a re- 
sult, all entitled persons may choose instead to rely on Article 38 and subse- 
quent provisions of the Brussels I Regulation when seeking to recognise and 
enforce judgments inside the EU. 


The Brussels I Regulation includes provisions on the free movement of judg- 
ments in civil matters, which especially relate to the recognition and enforce- 
ment of these judgments across the European judicial arena. [48] The 
Regulation applies solely to judgments in civil or commercial matters. Only 
judgments issued by an EU state court shall be recognised and enforced in this 
manner; judgments of other states are exempted from these provisions, and the 
Brussels I Regulation does not apply to judgments issued in such states. [49] 
In this connection, the sole consideration should be whether the particular judg- 
ment was issued by a court of another EU member state, even in cases where 
the place of the defendant’s domicile lies outside the EU. In other words, the 
domicile of the parties is in no way relevant to the application of the Brussels 
I Regulation. 


The Regulation sets out extensive procedural and substantive law rules gov- 
erning the recognition and enforcement of judgments among the EU states. In 
particular, it stipulates that once a judgment has been issued in an EU member 
state and becomes enforceable there, it may only be enforced in another mem- 


38 


ber state when, upon the application of an interested party, the decision is de- 
clared enforceable in that other member state. [50] The procedure for lodging 
recognition and enforcement applications is governed by the law of the mem- 
ber state where the judgment shall be enforced. [51] The EU member state 
court wishing to recognise the judgment shall not be bound by the opinion of 
the EU member state court issuing that judgment whether the matter is civil or 
commercial. [52] The substantive content of a foreign judgment may not be re- 
viewed under any circumstances. [53] In judgment enforcement proceedings, 
exclusive jurisdiction under the Brussels I. Regulation is conferred on the 
courts of the EU member state in which the judgment has been or will be en- 
forced. [54] 


There can be no doubt that the Courts within the Union benefit from their inter- 
connection through delimitation and transfer rules when it comes to the recog- 
nition and enforcement of judgments. Nevertheless, even these measures fail 
to counter the specific difficulties discussed in this submission in connection 
with efforts to redress trademark violations on the Internet. These problems, re- 
sulting particularly from the expansive, and even limitless, nature of the po- 
tential jurisdiction in these cases, are perhaps best highlighted by the judgment 
in SG 2 v. Brokat. In this case, the plaintiff sought, and the court granted, an 
order to remove violating data from a globally accessible server. As noted 
above, the enforcement of such a judgment raises serious practical, commer- 
cial, and economic risks which remain unacceptable within the European con- 
text. 


5. Conclusion 


There is, at present, very limited certainty or clarity among the legal commu- 
nity about how to respond to the alleged infringement of trademarks - or indeed 
of any intellectual property rights - based on the use of the Internet. Given the 
global and unpredictable nature of online activities, it is extremely difficult to 
predict how the jurisdiction of a single national court might be fixed, or an ap- 
plicable law might be chosen in these cases. In fact, all the traditional and fa- 
miliar criteria — i.e. territorially connecting factors such as the physical location 
of individual objects and the places of parties’ domicile - that have been used 
to resolve these problems now look hopelessly anachronistic. From this point 
onwards, when considering intellectual property law rights and obligations, 
the key location will be every territory where data can be downloaded; it will 
be any country in which the Internet may be accessed, or, in effect, the entire 
world. 


In cases of trademark - or any IP right — infringement involving the Internet, 


39 


major legal problems may, thus, be expected in determining the applicable law 
and, in particular, the court with jurisdiction to hear the complaint, (or even 
the criteria for establishing this jurisdiction). 


In response to these complex and pressing issues, this submission has sought 
to clarify the mechanisms by which EU courts may now approach and resolve 
cases in this area. 


In this regard, it is clear that the unification of principles and policies at a Com- 
munity level is crucial for the development of predictable and workable solu- 
tions. Encouragingly, the last few years have seen remarkable achievements 
in judicial cooperation in civil and commercial matters across the EU. EU 
courts must now proceed in accordance with Community law, including the 
highly influential provisions of the Brussels I Regulation and very soon also the 
Rome II Regulation. The delayed adoption of the Directive on Certain Aspects 
of Mediation in Civil and Commercial Matters due to ongoing discussions of 
European parliament represents a setback in this regard. [55] Nevertheless, in- 
creased unification in the area of judgment enforcement may be expected in the 
future. Green Papers were presented on the effective enforcement of judicial 
decisions on October 24, 2006. [56] 


It seems that currently the only global, i.e. not EU-limited, solution to Internet- 
related IP problems lies in the gradual harmonisation of positions on jurisdic- 
tion, applicable law, and foreign judgment enforcement and recognition under 
directly applicable multilateral international conventions. Various associations 
and organisations, including WIPO, and the Hague Conference on Private In- 
ternational Law (the “Hague Conference”), have focused extensively on these 
problems as part of their own research and development programmes. 


WIPO has dealt with many of these issues under the auspices of the WIPO 
Forum on Private International Law and Intellectual Property. This forum rep- 
resents an initial step in the long-term process of identifying possible issues for 
international cooperation. It has provided WIPO member states and the inter- 
national intellectual property community with an opportunity to exchange 
views on this area of growing concern. [57] 


The objective of the Hague Conference, whose member states include the EU, 
[58] is to work towards the progressive unification of international private law 
rules, inter alia, through the development of judicial cooperation in civil mat- 
ters and support of the full completion of the mutual judgment recognition 
programmes. The Hague Conference has prepared a Preliminary Draft Con- 
vention on Jurisdiction and Foreign Judgments in Civil and Commercial Mat- 
ters, [59] which contains provisions on intellectual property disputes. This draft 
has been praised by some legal commentators as a promising contribution to 


40 


the jurisprudence in this area. [60] However, the progress of this draft has been 
intercepted. 


Notes and References: 


[1] This submission has been developed under the auspices of the research programme 
MSM 21620804. 

[2] For a discussion of substantive legal issues in trademark right protection, please see 
Slováková, Z. ‘Protection of Trademarks and the Internet with respect to the Czech Law’, 
in Complex 4/06, Legal, Privacy, and Security Issues in Information Technology, Vol. 2. or 
Journal of International Commercial Law and Technology, Vol. 1., No. 2 (2006), pp 72-79. 
[3] Paris Convention for the Protection of Industrial Property of March 20, 1883, as re- 
vised in Brussels on December 14, 1900, in Washington on June 2, 1911, at The Hague on 
November 6, 1925, in London on June 2, 1934, in Lisbon on October 31, 1958, and in 
Stockholm on July 14, 1967, and as amended on September 28, 1979 

[4] Art. 2 (1) of the Paris Convention. 

[5] Art. 4 of the Paris Convention. 

[6] Madrid Agreement Concerning the International Registration of Marks of 
April 14, 1891, as revised in Brussels on December 14, 1900, in Washington on 
June 2, 1911, at The Hague on November 6, 1925, in London on June 2, 1934, in Nice on 
June 15, 1957, and in Stockholm on July 14, 1967, and as amended on September 28, 1979; 
Protocol Relating to the Madrid Agreement Concerning the International Registration of 
Marks, adopted in Madrid on June 27, 1989 and amended on October 3, 2006; Trademark 
Law Treaty adopted in Geneva on October 27, 1994. 

[7] For a Czech commentary, please see Kučera, Z., Mezinárodní právo soukromé, 6. 
opravené a doplněné vydání, Doplněk, Brno, pp. 283-284. 

[8] See “WIPO Forum on Private International Law and Intellectual Property”, Geneva, 
January 30 and 31, 2001, Background Paper Prepared by the International Bureau, 
WIPO/PIL/01/9, January 29, 2001. Available at http://www.wipo.int/edocs/mdocs/ 
en/wipo_pil_01/wipo_pil_01_9.doc. 

[9] Official Journal of the European Communities, January 16, 2001, L 12/1. 
[10]According to its Art. 68 (1), this Regulation supersedes the Brussels Convention among 
the member states. 

[1] Art. 4 of the Council Decision on Signature on behalf of the European Union of Con- 
vention on the Recognition and Enforcement of Judgments in Civil and Commercial Mat- 
ters. 


[12] The Lugano Convention II was endorsed in Brussels on March 28, 2007 and signed 
on behalf of the EU on October 30, 2007. Its parties are the EC member states, Iceland, Nor- 
way, Switzerland and also Denmark, which shall be bound to the extent that the rules of this 
convention relate to it. 


[13] Art. 64 (1) of the Lugano Convention II. 
[14] Art. 70 (1) of the Brussels I Regulation. 


[15] http://eur-lex.europa.eu/LexUriServ/site/cs/oj/2006/ce32 1/ce32120061229cs 0001 
0331.pdf 


[16] Chapter II (Art. 2-31) of the Brussels I Regulation. 
[17] Art. 2 (1) of the Brussels I Regulation. 


41 


[18] Art. 60 (1) of the Brussels I Regulation . 
[19] Secs. 2-7 Chapter II of the Brussels I Regulation. 
[20] Art. 4 of the Brussels I Regulation. 


[21] These rules set out cases where the relevant jurisdiction is strictly prescribed, irre- 
spective of the place of domicile of the defendant. In intellectual property matters, such 
exclusive jurisdiction applies to proceedings on the registration or validity of patents, trade- 
marks, designs, or other similar rights required to be deposited or registered. The relevant 
jurisdiction is the courts of the member state in which the deposit or registration has been 
applied for, has taken place or is under the terms of a Community instrument or an inter- 
national convention deemed to have taken place. 


[22] For a discussion of this principle, please see Rauscher, T.: Europaisches Zivilprozess- 
recht, Mnichov, 2004, str. 121-122; for a Czech commentary, see Brodec J.,Alternativni 
soudní příslušnost die nařízení’ Brusel I. Jurisprudence 3/2007, p. 56. 

[23] Preamble (19) to the Brussels I Regulation stipulates the need for continuity which 
should also be observed by the ECJ in its interpretation of the Brussels Convention. 


[24] Arts. 90 (1) and (2 (a)) of the CTMR. 
[25] Art. 91 (1) of the CTMR. 
[26] Art. 92 (a) of the CTMR. 


[27] Art. 93 of the CTMR states that proceedings on the actions and claims mentioned in 
Art. 92 shall be brought in the courts of the member state in which the defendant has domi- 
cile or, if the defendant lacks domicile in any member states, in which he/it has an estab- 
lishment. If it is impossible to determine the jurisdiction in this manner, such proceedings 
shall be brought in the courts of the member state in which the plaintiff has domicile or, if 
the plaintiff lacks domicile in any member states, in which he/it has an establishment. 


[28] Art. 93 (3) of the CTMR. 

[29] Art. 93 (4) of the CTMR. 

[30] Art. 94 of the CTMR. 

[31] See Gastinel, E., Milford, M., The Legal Aspects of the Community Trade Mark, 2001 
Kluwer Law International, p. 182-183. 


ous 


[32] For a Czech commentary, please see Kučera, Z., Pauknerova, M., Růžička, K., Zunt, 
V., Uvod do práva mezinárodního obchodu, 1. vydání, Aleš Čeněk, 2003, p. 279. 


[33] See Bohdan, M. ‘Internet and Private International Law’ in Polčák R. a kol. Introduc- 
tion to ICT Law (selected issues). Brno: Masarykova univerzita, 2007, p. 22 ff; for a Czech 
commentary, see also Polčák, R. K otázce působnosti práva na internetu, Jurisprudence 
3/2007, p. 11. 


[34] SG 2 v. Brokat Informationssysteme GmbH, Nantere Court of Appeals, October 13, 
1996, discussed in Torsten Bettinger and Dorothee Thum, “Territorial Trademark Rights in 
the Global Village — International Jurisdiction, Choice of Law, and Substantive Law for 
Trademark Disputes on the Internet (Part one)“, International Review of Industrial Prop- 
erty and Copyright Law, IIC Vol 31, No 3/2000, pp. 166-167. 


[35] Ibid 33. 

[36] Official Journal of the EU, 11 June 2007, L 199/40 
[37] Art. 32 of the Rome II Regulation 

[38] Art. 8 of the Rome H Regulation 


42 


[39] Official Journal of the European Communities, June 2, 2004, L 195/16. 
[40] Preamble (28), Art. (1) of the Directive. 

[41] Arts. 7 and 9 of the Directive. 

[42] Art. 8 of the Directive 

[43] Art. 10 of the Directive. 

[44] Art. 11 of the Directive. 

[45] Art. 13 of the Directive. 

[46] Art. 15 of the Directive. 

[47] Preamble (11) of the Directive. 


[48] The rules on judgment recognition and enforcement are contained in Chapter HI (Arts. 
32-56) of the Regulation. 

[49] Art. 32 of the Brussels I Regulation. 

[50] Art. 38 (1) of the Brussels I Regulation. 

[51] Art. 40 (1) of the Brussels I Regulation. 

[52] For a Czech commentary, see Vaške, V. Uznání a výkon cizích rozhodnutí v Ceské re- 
publice, 1. vydani. Praha: C.H.Beck, 2007. 

[53] Art. 36 of the Brussels I Regulation. 

[54] Art. 22 (5) of the Brussels I Regulation. 

[55] Communication from the Commission to the Council and the European Parliament, 
Report on the implementation of The Hague programme for 2006, COM (2007) 373 final, 
Brussels, 3.7.2007. 

[56] Ibid 49. 

[57] WIPO Forum on Private International and Intellectual Property, Geneva, January 30 
and 31, 2001, Background Paper prepared by the International Bureau, WIPO/PIL/01/9. 
[58] On October 5, 2006, the Council adopted a decision on the accession of the Commu- 
nity to the Hague Conference on Private Law (Official Journal of the European Commu- 
nities, October 26, 2006, L 297/1). The EU acceded to the Hague Conference on Private 
International Law on April 3, 2007. 

[59] Preliminary Draft Convention on Jurisdiction and Foreign Judgements in Civil and 
Commercial Matters adopted by the Special Commission on 30 October 1999. Available at 
http://www.hbcch.net/upload/wop/jdgmpd11.pdf 

[60] Dinwoodie, Graeme B., “Private International [Law?] Issues in Trademark Protec- 
tion”, pp. 12, 57, ff. Available at http://works.bepress.com/cgi/viewcontent.cgi? arti- 
cle=1037&context=graeme_dinwoodie. 


43 





Armageddon on the Digital Superhighway: 
Will Google E-Library Project weather the storm? 


Akhil Prasad 
IVth Year Student of Law, 
Gujarat National Law University, Gandhinagar, Gujarat, India 
akhil_99@hotmail.com 


Aditi Agarwala 
IVth Year Student of Law, 


Gujarat National Law University, Gandhinagar, Gujarat, India 
aditi_2k2002@yahoo.com 


Abstract. This paper examines the concept of copyright as an 
intellectual property in the digital age and the utilitarian objective which 
an intellectual property seeks to achieve. In that respect ‘Fair Use’ as a 
concept of U.S. Copyright law has been critically analysed. An ongoing 
Court battle involving the dispute between Google and the Author’s 
Guild & Publishers has been examined and an attempt has been made to 
justify the act of Google under the Fair Use doctrine. At the heart of the 
work, one shall be able to appreciate the pressing need for the Copyri- 
ght laws to be rewritten for the digital age. Recourse has been made to 
numerous case laws to appreciate the concept of fair use and this paper 
concludes by holding Google’s project of digitizing copyrighted books 
as ‘fair’ as it fulfils the primary aim of copyright law which is “enco- 
uragement of learning” and “dissemination of knowledge”. 


Key Words: E-Library, Digitization, Copyright Infringement, Fair Use Doctrine, 
Public Interest 


1. Copyright - A Stimulus to Creativity 


Innovation and creativity are the tools to climb the progressive ladder of hu- 
manity. It is not only to be encouraged by allowing the intellectual mind to 
reap the fruits of his labor through trade and commerce but also prevent his 
loss/detriment by prohibiting unauthorized and unscrupulous persons or enti- 
ties to unjustly enrich their pockets through sales on the sly or, enhancing their 
reputation or marketability of the work under their hand by lifting the copy- 
righted material and incorporating/merging it in their own without the permis- 
sion of the author, minus any acknowledgement in the least with the intent to 
improve or increase the marketability. Copyright encourages the creative efforts 
of authors, artists, and others by securing the exclusive right to reproduce works 
and derive income from them. 


45 


The Copyright law was embarked as a codified body of law when the Statute 
of Anne received the assent of the British Parliament way back in 1710. The 
very nature and purpose of the statute was two fold: the first to promote learn- 
ing or dissemination of knowledge [1] and the second, to prevent any other 
person save the author to print or reprint the literary work for a limited dura- 
tion. 


The most important part in terms of relevancy to the subject matter of this 
paper is perhaps the fifth clause of the Anne’s statute which mandated that 
‘nine’ copies of each book, shall be kept in nine libraries (one copy each), of 
the stated Universities therein for the purposes of accessibility and dissemina- 
tion of knowledge to the public at large thus promoting literacy and thereby so- 
cial good, and a stringent monetary penalty was attached, in case of non 
compliance of the aforementioned clause. The statute also envisaged a formal 
system of price control and redress mechanism as well. 


Thus, it is observed that at the time when the foundation of the modern copy- 
right law was being laid down, the legislative intent was to further or promote 
dissemination of knowledge, but at the same time the private right of the au- 
thor was bring respected and protected. In essence, it was a fine balancing act 
in which the author’s right was secured and at the same time, his right was not 
impeding the ‘encouragement of learning.’ 


The centuries old common law statute continues to impact and influence the 
copyright law countries such as the U.S. wherein the framers of the U.S. Con- 
stitution relied on this statute when drafting the Copyright Clause of their Con- 
stitution which reads as: 


“The Congress shall have Power ... to promote the 

Progress of Science ... by securing for limited Times 

to Authors ... the exclusive Right to their respective 

Writings....” [2] 
Moreover, the Congress directly transferred the principles from the Statute of 
Anne into the Copyright law of the United States through a recommendation 
to the States to enact similar copyright laws, and then in 1790, with the passage 
of the first American federal copyright statute. The U.S. Supreme Court has ob- 
served that ‘the primary objective of copyright is not to reward the labor of au- 
thors, but “to promote the Progress of Science and useful Arts.”[3] 


2. From the Past to the Present — The Era of Digitization 
That was the age of print technology. Mankind has now entered into an age, 


which commands a much advanced form of technology; we call it the ‘Digital 


46 


Age’. Print exists, but is slowly giving way to the electronic form of data, 
which overcomes the limitations of the print technology under a number of 
‘heads’ and ‘counts’ such as storage, transfer, reproduction, archiving etc. such 
that one can say that print is co-existing with digital technology and a time will 
come when digitization will marginalize print just like the keyboard and com- 
puter has marginalized the use of typewriter. 


From the concept of a library where one envisaged books in large numbers, 
we are making a transition into an era of e-books. These are such books which 
will have zero cost on the trees and survive till eternity if kept safely. The 
threshold of ‘safety’ considerations in an online environment is very high as 
compared and contrasted with books made of paper. Such a technological for- 
mat shall have to be protected from the electronic bug that is commonly re- 
ferred as a ‘virus’ in the etymology of computer science through latest state of 
the art software programs referred to as ‘anti-virus software’. We are slowly 
doing away with print books and introducing the contents of this physical book 
in a much ‘eco-friendly’ and technologically savvy format which the digital 
era has brought about. 


The books in the electronic format shall do away with universal problems faced 
by the print book such as their physical nature which exposes themselves to de- 
teoration as they age. The digital book on the other hand can be produced and 
reproduced with minimal costs, blinding speed and unfailing accuracy and can 
be transported from one part of the world to another in a matter of a few sec- 
onds through the cyber space we call the internet. It can be stored and retrieved 
easily and uses no physical space at all except the hard disk on which the data 
is stored. This will do away with the construction costs and time and physical 
space involved in the construction of huge libraries. The revolution brought 
about by the digital technology is already being harnessed by nations such as 
the United States of America inasmuch as conversion of books in e-format is 
concerned. 


2.1. E-Libraries 


The concept of electronic libraries is not a concept brought to the fore in this 
new millennium. Two such projects owe their origin to the nineties. 


The Internet Archive is an initiative, a nonprofit founded to build a digital li- 
brary offering permanent access for researchers, historians, and scholars to his- 
torical collections that exist in digital format. Founded in 1996, the Internet 
Archive receives data donations and has grown to include texts, audio, mov- 
ing images, software and archived web pages in its collections [4]. 


Moreover, Project Gutenberg, the first and the largest producer of free elec- 


47 


tronic books (e-books), has placed thousands of e-books on the web since 1989, 
and plans to reach the 1 million e-book record by 2015 [5]. Most of the e-books 
which are made available by this corporation are in the public domain. 


However, what about the books enjoying copyright protection? Can they 
be digitized without the permission of the owner of the copyright? Amongst 
the bundle of rights which the copyright owner enjoys under the aegis of the 
statute, one of the most important from the economic perspective is the right 
to reproduction or authorize reproduction of copies of which he owns the copy- 
right. 


However, the jurisprudential development of the law of copyright has given 
~ tise to this concept of ‘fair use’ which is understood to be an affirmative defense 
to copyright [6]. It recognizes certain uses of the copyrighted work by another 
without the permission of the copyright holder as legitimate, subject to meet- 
ing certain criterion including the most important, that the use must not un- 
reasonably prejudice the economic rights of the copyright holder. The defense 
of fair use offsets the liability on the part of the user on the allegation of in- 
fringement in the absence of which the user can be held culpable for infringe- 
ment. Thus, whether a use is ‘fair’ or not is a question of fact and there is no 
straight jacket formula to demarcate or distinguish ‘fair use’ from ‘unfair use’, 
the latter attracting the ‘infringement clause.’ 


3. What is this Fair Use? 


The term ‘fair use’ or rather the doctrine as it has evolved in the jurisprudence 
of Copyright law finds its roots in the understanding that copyright is not an ab- 
solute right and it is permitted, under the sanction of law pertaining to copy- 
right, that any person, other than the one who is the holder of ‘copyright’ of the 
work in question has, what the authors would term as ‘liberty’, to copy to a lim- 
ited extent without requiring permission from the owner of the copyright be it 
the author or any other person in whom such a right is vested. 


Fair use is not a ‘license’ but in the nature of a privilege by virtue of which, the 
person pleading defense against a suit for infringement can escape the clutches 
of copyright law. As Crews (1993) points out, fair use doctrine helps to prevent 
the copyright owners’ exclusive rights from interfering with the Framers’ stated pur- 
pose of the promotion of learning (as cited in Cohen, 2001, p. 170). 


The larger goal of copyright as a discipline of law is the advancement of human 
knowledge. The doctrine of fair use has developed over the years as Courts 
tried to balance the rights of copyright owners with society’s interest in al- 
lowing copying in certain, limited circumstances. This doctrine, has at its core, 


48 


a fundamental belief that not all copying should be banned, particularly in so- 
cially important endeavors such as criticism, news reporting, teaching, and re- 
search [7]. 


The term ‘fair use’ is peculiar to the United States; a similar principle, fair deal- 
ing, exists in some other common law jurisdictions such as U.K. and India [8]. 


Until codification of the fair-use doctrine in the 1976 Act, fair use was a judge- 
made right [9] developed to preserve the constitutionality of copyright legis- 
lation by protecting First Amendment values [10]. Thus, the doctrine of fair 
use is an evolving principle of the U.S. Judiciary over the years. This doctrine 
has now been codified in section 107 of the Copyright law and has been de- 
scribed as “the most troublesome in the whole law of copyright” [11]. It is a 
judge made law codified in S.107 [12] of the U.S. Code. 


These four fair use standards to adjudge whether a use of copyrighted work is 

fair or not, largely balancing the tension between the economics of copyright 

law vis-a-vis social objective have been adopted in section 107 and they are: 
1) The purpose and character of the use, including whether such use is 
of a commercial nature or is for nonprofit educational purposes; 


2) The nature of the copyrighted work; 


3) The amount and substantiality of the portion used in relation to the 
copyrighted work as a whole; and 


4) The effect of the use upon the potential market for or value of the 
copyrighted work. 


4. The Google Controversy 


A degree of uncertainty has always surrounded the concept of “fair use” or 
“fair dealing,” which allow for non-commercial uses of copyright works in the 
service of education or information. (Dr. Mira, p.7) 


The Google Print [13], now renamed as Google Book Search [14] (“Google 
Print”, 2005) has sparked a raging controversy as to whether the digitization of 
libraries can be covered under the fair use clause of copyright in that does it 
meet the four factor test under S. 107 of the United States Copyright Act, 1976. 
Google is scanning books (under copyright as well as in public domain) of four 
University Libraries and one Public Library without the permission of the 
copyright holder i.e. authors/ publishers. As a result, they are battling a lawsuit 
[15] filed by America’s largest Author’s Guild and few Publishers back in Sep- 
tember and October 2005 which is pending before the New York Court. Op- 
ponents are alleging that this act of Google is a blatant violation of copyright 
law. 


49 


There is no issue with scanning the books in the public domain [16] and mak- 
ing it available online. Search engines such as Yahoo and corporations such as 
Microsoft are coming with such initiatives [17]. Project Gutenberg has been a 
pioneer in this field. However as Band (2006) points out, “The salient differ- 
ence between these projects and Google’s Library Project is that these proj- 
ects will involve only works in the public domain or works where the owner 
has opted-in [18] to the digitization, while Google intends to scan in-copyright 
books without the owner’s authorization, as well as works in the public do- 
main.” 


What Google aims, is that it would provide a search index of the books which 
it shall digitize and the user, searching through the database, shall find the bib- 
liographic information as well as a few text ‘snippets’ around the search term 
which he has entered. It equates such an act with that of a person browsing 
pages in a library or a book store [19] (“Google check”, 2004).Further it shall 
provide with the option of purchasing of the book, which a prospective buyer 
may be viewing [20]. 


The search results will depend on the copyright status of the book. For works 
in the public domain, the user will have access to the entire text. For works 
under copyright protection, the user will see the bibliographic information as 
well as a few text “snippets” around the search term, unless the publisher has 
given Google permission to display more text [21]. (Elisabeth, 2005, p.2). The 
number of snippets as Google states shall not be more than three. Band (2006) 
states that Google will not display snippets for certain reference books, such as 
dictionaries, for there is likelihood that the market for the work could be 
harmed and further highlights that in such exceptional cases, only the biblio- 
graphic information shall be displayed [22]. 


Now let us closely evaluate the ‘business’ of Google in this context. It is true 
that Google shall be scanning all books of the 5 libraries and digitizing the 
same, except those in the ‘opt out’ policy [23]. It shall be doing so without the 
permission of the copyright holders or their licensees, though such parties can 
choose to restrain Google by electing for the ‘opt out’ policy. It is doing so in 
pursuance of an agreement with the five eminent libraries those are willing to 
donate books for the same purpose in return of a copy in the digitized format. 
Google responds that this copying is permitted under the fair use doctrine 
(Band, 2006). As predicted, Google has been sued for this venture and matter 
is already pending before the New York Court. 


Their objection is not that Google is creating a full text search index; it is that 
Google is creating the index without their permission (Band, 2006). The 
econometrics of this endeavor has not been disclosed by the company, but one 


50 


can say without doubt that the costs shall run into millions of U.S. dollars. [24] 


The issue is whether Google is creating a virtual library by this? If so, whether 
Google is permitted under the library exemption or fair use doctrine contained 
in the copyright legislation of the United States? 


4.1. The Library Exemption 


The answer to the first question would be both ‘yes’ and ‘no’ depending upon 
the copyright status of the work. The works are broadly classified as ‘works in 
public domain’ and ‘works not in public domain’ and thus enjoying the copy- 
right protection. For the works which are in the public domain and which no 
longer enjoy copyright protection, Google is both morally and legally justified 
in doing so. For the works in the public domain no longer enjoy the legal mo- 
nopoly as such time has elapsed within which the creator of the work had to be 
rewarded and such time has commenced where the larger goal which copy- 
right seeks to serve i.e. “to promote the progress of science and arts.”[25] 


Indeed Google is creating a virtual library of works that happen to be in the 
public domain. However, the more important question is with respect to the 
works which are not in the public domain and enjoy copyright protection. It is 
submitted that Google is not creating a virtual library for such works, but only 
a virtual market, for the user, who wishes to browse Google’s database using 
Google’s search engine. 


Inasmuch as the answer to the second question is concerned, the scope being 
limited to the second category of works, i.e. copyrighted works; for the act to 
qualify the fair use test it has to satiate the four fair use prongs encapsulated in 
S.107 of the copyright statute or meet the library exemption clause contained 
in S.108 which introduces certain limitations on the exclusive right of the copy- 
right holder for reproduction by libraries and archives. 


The library exemption permits reproduction solely for purposes of preservation 
and security or for deposit for research use in another library or archives, the 
latter being conditional and expressly clarifies that it should not be with any 
purpose of direct or indirect commercial advantage [26]. Moreover, this ex- 
emption is limited to only unpublished works for archival purposes, out-of- 
print works, or replacements for damaged and lost works and not more than 
three copies can be produced [27]. Libraries, however, are not allowed to sys- 
tematically make digital copies of their entire collections — whether for re- 
search, indexing or educational purposes — without compensation to copyright 
holders. (Alan, 2006, p. 4) 


However, the library exemption only applies to library, what we commonly 


51 


understand as a ‘brick and mortar’ library. Though Google’s purpose of con- 
verting the book into a digital format may be for storage purposes as well, apart 
from other purposes, as the digitized copy shall be handed over to the libraries 
which donate such books, it is clear that this exemption does not extend to the 
digital library or the electronic library or the virtual library. Such concepts are 
of a much recent origin and the library exemption was never meant to be ap- 
plicable or extendable to include digital libraries. 


4.2. Fair use Test 


The second is the fair use test which Google asserts. How is this ‘Googleism’ 
covered by the doctrine is a question which Google maintains that it is pro- 
tected by limitations set forth in the copyright statute, chief amongst them - 
the fair use clause and the first amendment values. 


Google shall have to satisfy each criteria of the fair use four factor test. How 
is Google’s act justified under the prism of fair use is a question of fact and an 
attempt to answer this question has been made in the following pages, consid- 
ering that it is the primary mandate of the U.S. Copyright regime to ‘promote 
the progress of science and useful arts’ not any less than to reward its authors. 
As noted earlier, the Supreme Court of the United States has held in the larger 
picture of the copyright system is not to reward the authors but ‘encourage- 
ment’ and ‘promotion’ of learning. 


Against this backdrop, Google’s act is weighed against the four factor test. But 
before this, it has to be acknowledged that the burden of proving that the use 
was presumptively unfair shall shift to the defendant if the plaintiff succeeds 
in proving that the act complained of constitutes a prima facie case of in- 
fringement (see WikiReader: Free Software and Free Contents, 2004, p.41). If 
there is no infringement, the defense of fair use is not called for and shall not 
serve any ‘legal’ purpose. 


In the case of Google, an inference of such nature may be presumptively drawn 
since Google is scanning entire books for the purposes of digitization without 
the express consent of the copyright holder. The right of reproduction is the 
right of the copyright holder and if no authorization is procured from the right 
holder, such an act may constitute a prima facie case of copyright infringe- 
ment. Moreover in no case, does fair use permit full copying of the book. 


Assuming arguendo, Google takes such a defense in the Court for it has little 
option otherwise, the moot question is - how will it be able to justify its stand? 


It has been observed that “from the infancy of copyright protection, [the fair use 
doctrine] has been thought to fulfill copyright’s very purpose, ‘[t]o promote 


52 


the progress of science and useful arts” [28] and “the ultimate test of fair use... 
is whether the copyright law’s goal of ‘promo[ting] the Progress of Science 
and useful Arts,’... would be better served by allowing the use rather than pre- 
venting it.”[29] 


In the same milieu, one must appreciate that fair use calls for a case by case 
analysis of the four factor test which throw light on the boundaries of legiti- 
macy of use and thus are merely indicative and not determinative. In essence, 
it is a highly fact and circumstance specific doctrine. 


Closely examining the letter of the law under S.107, [30] in the analysis in- 
volving the finding of fair use, it has to be ascertained whether there is “fair 
use’ and thereafter filter it further to see whether it is for an appropriate pur- 
pose or not. The various purposes have been described therein - criticism, com- 
ment, news reporting, teaching (including multiple copies for classroom use), 
scholarship, or research are merely exemplary, not exhaustive [31]. 


5. Scrutinizing Google under the 4 Factor Test 


5.1. The First Test 


The first test is to examine the purpose and character of use as to whether 
such use is for commercial nature or for non profit educational purposes? 


It has been observed by the U.S. Supreme Court that the purpose of the use 
should be non commercial for a “commercial or profit making purpose ... 
would be presumptively unfair” while a non commercial use would raise a pre- 
sumption of fairness [32]. Subsequently, it has been noted that “the crux of the 
profit/nonprofit distinction is not whether the sole motive of the use is mone- 
tary gain but whether the user stands to profit from the exploitation of the copy- 
righted material without paying the customary price.”[33] 


‘User’, in the present context does not refer to the user who shall view the snip- 
pets of the work upon a search on Google’s search engine but Google itself 
which is making the ‘unauthorized’ digital copies. 


Google is not profiting from the exploitation of the copyright material per se 
not any more than society is benefiting in incalculable proportions. Exploita- 
tion is not in the ‘commercial sense’ for it is providing only snippets and not 
selling the book to reap commercial benefits. Moreover, Google is providing 
the digital copy to the libraries themselves. Google also has this ‘opt out’ pol- 
icy whereby the copyright holder can elect not to get his book digitized. Thus, 
the nature of the act in an overall perspective is though not ‘non profit educa- 
tional purposes’, the same does not either qualify to the contrary, being of com- 


53 


mercial nature, for the gains are not coming from the book but the advertise- 
ment space which Google will sell on its web page. 


Moreover, commercial use is no longer deemed by Courts to be presumptively 
unfair [34] for many unauthorized uses such as newspaper reporting, parody 
etc. involve an element of commerce. Assessment of commerciality must in- 
clude an examination of the degree of the exploitation which in case of Google, 
the exploitation of copyrighted work is limited to the display of not more than 
three snippets which by no means gives the heart of the work and thus is ‘de 
mimimus’ use. 


The Ninth Circuit considered fair use issues relating to search engine operation 
in Kelly v. Arriba Soft Corp, where Kelly, a photographer sued a visual search 
engine for displaying thumbnail images of photographs originally posted on his 
website.[35] The Ninth Circuit found in favor of the search engine, holding 
that the search engine’s creation of thumbnails of the photographer’s copy- 
righted images, although used for commercial purposes, was a transformative, 
non exploitative use and therefore fair.[36] As thumbnail is to photography, 
likewise a snippet is to a book for the purposes of fair use. Google like Kelly 
is in that context ‘non exploitative.’ 


Moreover, the first test must be read with the other three tests in order to ap- 
preciate the larger picture. The primary goal of Google being a ‘for-profit’ or- 
ganization is to generate revenue from the advertisement space it sells on the 
web page, however how is the society or the owner of the copyright affected 
so long as such a service is being provided? Indeed, the masses are getting 
largely benefited as they shall be able to make online searches of books rele- 
vant to their subject matter and can purchase the same as well. The sales rev- 
enue in such cases would go to the publisher and the royalty to the copyright 
holder. Therefore, it is a win-win situation for both the parties at the transact- 
ing end. Ifa third party which is facilitating this service benefits in the process, 
what is the harm? 


5.2. The Second Test 


The second factor in a fair use analysis is the nature of the copyrighted work 
that is potentially infringed [37]. Courts are likely to find fair use more in fac- 
tual works than creative works as the threshold of creativity is lower in the for- 
mer. It has to be appreciated that Google will be scanning books 
indiscriminately whether be it creative fiction or factual (ex. dictionary). Where 
there is a likelihood of market harm in displaying the snippets, Google will 
only display the bibliographic information as it is doing in case of dictionar- 
ies. Once again, it is to be appreciated that Google is not appropriating the dig- 


54 


ital text of the work to its own benefit such that it violates the copyright of the 
right holder. It is providing a service to the society (though profiting in the 
process), but making the works more ‘discoverable’ than ever before and is 
not appropriating the contents of the work for its personal use therefore whether 
the work is factual or creative does not make any difference so long as the ma- 
terial is not being appropriated to the economic detriment of the copyright 
holder or stifling creativity by any means. On the contrary, Google is promot- 
ing the market of works thus encouraging creativity. 


Another problem is with respect to orphan works [38]. The Copyright Office 
is preparing recommendations to Congress on how to address the orphan works 
problem - how to enable uses of works whose owners cannot be identified or 
located (Band, 2006). Orphan works are copyrighted works whose owners are 
difficult or impossible to identify and/or locate. Orphan works are perceived to 
be inaccessible because of the risk of infringement liability that a user might 
incur if and when a copyright owner subsequently appears. Consequently, 
many works that are, in fact, abandoned by owners are withheld from public 
view and circulation because of uncertainty about the owner and the risk of li- 
ability [39]. 


The new legislation is being proposed in this regard. The bill would add a new 
§ 514 to the Copyright Act entitled “Limitation on remedies in cases involv- 
ing orphan works.” It would essentially implement the Copyright Office’s pro- 
posal to limit liability for an infringing use of an orphan work. As a prerequisite 
to qualifying for the limitation, the infringer must sustain the burden of prov- 
ing that he or she performed and documented a reasonably diligent search in 
good faith but was unable to locate the owner [40]. 


If the legislation comes out, Google can digitize orphan works under the fair 
use doctrine as well if the owner cannot be located. 


5.3. The Third Test 


The third factor is both a qualitative and a quantitative test which concerns it- 
self with the amount and substantiality of the portion used in relation to the 
copyright work as a whole. Though Google is scanning entire books what 
will be visible to the netizen while searching would not be more than three 
snippets. Thus for the purposes of copyright it is ‘de minimus’, thus ‘fair.’ 


However, notwithstanding whatever is visible to the netizen, Google will be 
scanning entire books, thus committing an act of ‘intermediate copying’. In 
the context of Internet search engines, there are two cases in which reproduc- 
tion and archiving of the entirety of copyrighted content found on web sites has 
been deemed a fair use: Kelly v. Arriba Soft [41] and Field v. Google.[42] The 


55 


owners respond that the intermediate copying cases are distinguishable 
because they address a problem specific to software: translation of programs 
is the only means of accessing ideas unprotected by copyright that are con- 
tained within the program. 


This problem, of course, does not exist with books. Furthermore, in the interme 
diate copying cases, the software developer discarded the translation once it de 
veloped its new non infringing program 


Google, conversely, will retain the scanned copy in its search index. Band 
(2006) opines that “While acknowledging these factual differences, Google’s 
supporters stress the underlying principle of intermediate copy- 
ing cases: that copying may be excused if it is necessary for a socially useful 
non infringing use. (p.7) 


This is one issue which Google may succeed considering the social good the 
project claims to serve. 


5.4. The Fourth Test 


The fourth test is to examine the effect of the use upon the potential market 
for or value of the copyrighted work. The fourth fair use factor and perhaps 
the most important [43] is the effect of this project upon the potential market 
of the copyright works. It encompasses within its fold not only the existing 
and potential market of the work but also its derivatives [44]. 


In the famous Sony Betamax case [45], the Court was of the opinion that it 
was not necessary to show actual present harm nor exhibit with certainty that 
future harm shall result from the particular use but preponderance of the evi- 
dence that some meaningful likelihood of future harm exists. It further ob- 
served that ‘If the intended use is for commercial gain, that likelihood may be 
presumed. But if it is for a noncommercial purpose, the likelihood must be 
demonstrated.’ 


Though there is commercial gain which will accrue to this for-profit organiza- 
tion, it shall not be from the use of copyrighted works but from selling of the 
advertisement space. Therefore, Google’s endeavor cannot be said as failing the 
fourth test. Furthermore, any party (author or publisher) claiming that the proj- 
ect is or shall cause harm to the market of the work or is of the slightest opin- 
ion that has the likelihood of causing harm, can resort to the ‘opt out’ policy and 
thus exclude his work out of the digitization project. 


It is true that some issues need to be resolved since fair use does not permit full 
copying of books in the first place, leave aside reproducing in the digital for- 
mat. However, this does not mean that the legislature must turn a deaf ear and 


56 


the Courts remain mute spectators being bound by the clutches of law. After all 
‘fair use’ is the judge made doctrine and the contours of the same are being ju- 
dicially expanded with the passage of time and introduction of new forms of 
technology. Keeping in mind that the doctrine has not been tailored to preci- 
sion, it should be suitably expanded ‘to promote the progress of Science and 
useful arts’ more than anything else as its chief consideration. With a few al- 
terations as may be necessary, Google must be allowed to serve the larger in- 
terests of the global society by realizing this project. 


6. Advocating ‘Googlelization’ of Libraries 


It cannot be denied that there are a significant number of authors, who are ap- 
preciative of this project. Moreover, it must be remembered that the Author’s 
guild which has sued Google only represents a fraction of the authors. The user 
will greatly benefit from the search database as he would be able to see the 
buried knowledge in every book possible as is relevant to the scope of his 
search which otherwise is humanly impossible. 


What is to be appreciated is that Google is promoting the legitimate interests 
of the right holders and not unreasonably prejudicing their interests. It is pro- 
viding that latitude to the right holders to withdraw their works i.e. “opt out’ in 
case they are of the view that scanning and subsequent digitization without 
their permission and minus paying them any consideration, shall cause unrea- 
sonable prejudice to their legitimate interests. 


For as we see it, the project will benefit not only the citizens of the United 
States, but also the global citizen as at the end of the day ; for it is all about 
accessibility and through the internet one can access or transact with another 
from any part of the world. Such programs will be greatly beneficial for the de- 
veloping societies in promoting wider and easier accessibility on pay or with- 
out any pay depending on the copyright status of the work, thus facilitating 
and fulfilling the final mandate of copyright and at the same time facilitating 
the flow of information from the developed countries to the developing world. 
It cannot be denied that if books cannot be searched online, many users may 
never locate them and thus may indirectly affect the market of the work. More- 
over, it is an author’s basest desire that his work receives the largest possible 
coverage for that adds to his repute. 


The copyright owners , by and large , agree that the Library Project has sig- 
nificant social utility. Indeed, authors participating in the Authors Guild law- 
suit acknowledge that the Library Project will provide them with a helpful 
research tool. Their objection is not that Google is creating a full text search 
index; it is that Google is creating the index without their permission (See 


57 


Band, 2006). Perhaps they are gunning for a piece of cake, which Google can 
easily afford to give in view of its immense financial success. The greed may 
be premised on the fact that where a company can invest in millions to digitize, 
it can surely donate in thousands to avoid a litigation which may lead to an un- 
favorable verdict since it is the unfaithful road of fair use that Google is tread- 
ing. Whereas other large corporations wait and watch before investing in the 
sacred domain of copyrighted works, Google confidently marches on the road 
to implore justice. 


7. On a concluding note... 


The final outcome of the Google project is based on perhaps the most funda- 
mental role of copyright law of securing a legal monopoly to the authors for a 
limited time and more so of a limited nature, which derives its roots from the 
premise that ultimately it is the dissemination of such works to the ‘public’ i.e. 
the end user which should serve as a catalyst in enhancing the motivation of the 
authors to produce works for it is such a ‘user’ which creates the demand of the 
product and is the source of revenue, in the absence of which such works cease 
to reap the commercial fruits of the author’s intellectual labor. If such com- 
panies such as Google are facilitating a larger socially oriented purpose of the 
‘largest good of the largest number’ through accessibility to knowledge and 
resources of ‘intellectual’ nature and are largely in conformity with the law, 
there is no reason why such mammoth investment projects should be shown the 
red signal considering that both the parties and each end of the scales of justice 
are greatly benefited by the balance we call Google. It is only for this reason 
that copyright is justified on the scales of economics as they give authors, the 
incentive to create and enhance the public’s access to the work. 


Indeed, in this Googlelization of Libraries, it is a war of ‘Fair Use’ versus 
‘Fare Use’! How Fair or Fare is it?... only time is the real verdict. 


Notes 


[1] The Preamble to the Statute of Anne, 1710 is worded as “An Act for the Encourage- 
ment of Learning”. 

[2] Art.1, S.8 (cl. 8) of U.S. Constitution. The United States of America happens to be one 
of the first jurisdictions where copyright protection has found constitutional patro- 
nage. 

[3] See e.g., Feist Publications v. Rural Telephone Service Co. 499 U.S. 340, 349 (1991), 
where the United States Supreme Court speaking through Justice O’ Connor observed 
that “the primary objective of copyright is not to reward the labour of authors, but to 
promote the progress of science and useful arts”, the latter constituting a constitutio- 
nal mandate under A.1, S.8, cl.8 of the Constitution of the United states of America 

[4] Retrieved September 12, 2007, from http://www.archive.org/about/about.php 

[5] Retrieved September 12, 2007, from http://www.etudes-francaises.net/dossiers/gu- 
tenberg_eng.htm 


58 


[6] Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 590 (1994) 
[7] Retrieved September 12, 2005, from http://www bitlaw.com/copyright/fair_use.html 


[8] “Fair Use” is generally the term used in US law and in other countries with similar do- 
ctrines, while “Fair Dealing” applies more to the UK/Australia and other countries 
with a Common Law heritage. 


[9] The four factors of analysis for fair use set forth above derive from the classic opinion 
of Joseph Story in Folsom v. Marsh, 9 F.Cas. 342 (1841) 


[10] The first amendment to the United States Constitution envisages the Freedom of Spe- 
ech. 


[11] Dellar v. Samuel Goldwyn, Inc., 104 F.2d 661, 662 
[12] U.S. Code, title 17, Chapter 1, S. 107 


[13] The project involved digitization of the libraries of Harvard, Stanford, Oxford, Mi- 
chigan University, and the New York libraries, which has decided to donate materials 
for scanning. Moreover a large number of books which happen to be in the public do- 
main have been e-catalogued so that the user can directly download the book and read 
it. As to the books which enjoy copyright protection, pursuant to an agreement be- 
tween the company and the copyright holder, online copies of the book can be kept for 
purchase on the web from the publisher directly and the user may search for the book 
he requires (as a few sentences of the relevant ‘literary piece’ shall be provided thro- 
ugh the search.) In essence, Google is promoting the dissemination of various works 
of authorship by facilitating e-purchases and bringing the existence of such literature 
to the knowledge of the interested consumer. 


[14] Google rebranded Google Print, which includes the Library Project, as the Google 
Book Search, in order to better describe the project’s purpose. 


See Google Print Renamed Google Book Search, Marketing VOX, Nov. 18, 2005. Re- 
trieved Sep. 12, 2007 from http://www.marketingvox.com/archives/2005/11/18/go- 
ogle_print_renamed_google_book_search/ 


[15] On September 20, 2005, the Authors Guild (comprising of some 8000 authors) and se- 
veral individual authors sued Google for copyright infringement. A month later, on 
October 19, 2005, five publishers - McGraw-Hill, Pearson, Penguin, Simon & Schu- 
ster, and John Wiley & Sons — sued Google. The authors request damages and in- 
junctive relief. The publishers, in contrast, only requested injunctive relief. 


[16] Works in public domain are considered to be part of a common cultural and intellec- 
tual heritage, which, in general, anyone may use or exploit, whether for commercial 
or non-commercial purposes. 


[17] Both Yahoo and Microsoft have recently announced digitization projects. Microsoft an- 
nounced that it would be digitizing 100,000 volumes from the British Library. Yahoo 
agreed to host the Open Content Alliance, under which entities such as the University 
of California and the Internet Archive will post digitized works. 


Band, J. (2006). The Google Library Project: The Copyright Debate. Retrieved Sep. 
12, 2007 from _http://www.lIrx.com/features/googlelibraryproject.htm 


[18] The difference between ‘opt in’ policy and ‘opt out’ policy that whereas in the former, 
the burden is on the company to seek permission from the copyright owner as to whe- 
ther make available, the digitized copy of the work, the latter on the other hand, pre- 
supposes that the company shall scan the work unless the author refuses to permit, 
meaning that the burden is on the owner of copyright to expressly ‘opt out’ failing 
which the work shall be scanned for the purposes of searching. Whereas considerations 
of larger social good would favor an ‘opt out’ policy, one may counter argue that since 


59 


the owner of the copyright has the exclusive right to authorize reproduction, an ‘opt 
in’ policy is a right emanating from the intersection of copyright law and the law of 
contract. However, if permission is sought from each and every author of each of the 
works in a library which is getting digitized, it would lead to a considerable wastage 
of time and money and cause significant delay. Moreover an ‘opt in’ policy, apart from 
being not feasible, is not justifiable especially in view of the manifold advantages, 
both commercial and non commercial, accruing to the owner of the copyright on get- 
ting the work digitized free of cost and labor for there is no unreasonable prejudice 
being caused to the legitimate interests of the right holder and moreover the society is 
being greatly benefited as one of the aims of the project is to enhance the ‘marketabi- 
lity’ of the work. The fact that Google shall commercially benefit from the deal does 
not undermine the socially valuable end it shall serve. Google has resorted to the ‘opt 
out’ policy. 

[19] Press Center, Google, Google Checks Out Library Books, Dec. 14, 2004. Retrieved 
Sep. 12, 2007 available at http://www.google.com/press/pressrel/print_library.html. 

[20] ibid 

[21]An example of what the results will look like is available at: http://print.google.com/ 
googleprint/screenshots.html). 

[22] See Band, J. (2006). The Google Library Project: The Copyright Debate. Retrieved 
Sep. 12, 2007 from http://www.lirx.com/features/googlelibraryproject.htm_ 

[23] Refer supra Note 18 

[24]Sce, for eg., Band, J. (2006). The Google Library Project: The Copyright Debate, Sab- 
rina I. Pacifici. Retrieved Sep. 12, 2007 from http://www.llrx.com/features/googleli- 
braryproject.htm 

[25] See supra Note 2. 

[26] 17 U.S.C. §108(a) (1) 

[27] 17 U.S.C. §108(b), H.R. Rep. No. 94-1476, at 75-76 

[28] Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 575 (1994) 

[29] Arica Inst., Inc. v. Palmer, 970 F. 2d 1067, 1077 (1992) 

[30] Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrigh- 
ted work, for purposes such as criticism, comment, news reporting, teaching (inclu- 
ding multiple copies for classroom use), scholarship, or research, is not an 
infringement of copyright. 

[31] For more see Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 561 
(1985) 

[32] Sony Corp. of America v. Universal City Studios, Inc. 464 U.S. 417, 449 (1984) 

[33] Harper & Row Publishers, Inc. v. Nation Enterprises 471 U.S. 539, 562 (1985) 

[34] See Campbell v. Acuff-Rose Music, Inc., 972 F.2d 1429 (1994) 

[35] Kelly v. Arriba Soft Corporation, 336 F.3d 811, 816 (2003) 

[36] ibid 

[37] 17 U.S.C. §107(2) (2000). 

[38] Out-of-print works that remain in copyright, but for which rights holders cannot be lo- 
cated, are colloquially labeled “orphaned.” Several legislative solutions have been 
proposed to allow access to these so-called orphan works even when the true rights 
holders cannot be determined with absolute certainty. See United States Copyright Of- 
fice, Report on Orphan Works (Jan. 2006) and the proposed “Orphan Works Act of 


60 


2006” (H.R. 5439). Retrieved Sep. 12, 2007 from www.copyright.gov/orphan/ 


[39] United States Copyright Office, Report on Orphan Works (Jan. 2006) and the propo- 
sed “Orphan Works Act of 2006” (H.R. 5439). 


[40] ibid 

[41] 336 F. 3d 816, 822 (2003) 

[42] 412 F. Supp. 2d 1106 (D. Nev. 2006). 

[43] “This last factor is undoubtedly the single most important element of fair use.” Har- 
per & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 566 (1985) 

[44] ibid at 568 

[45] Sony Corp. of America v. Universal City Studios, Inc. 464 U.S. 417 (1984) 


References 


1. Adler, A. (2006). The Google Library Project. Retrieved Sep. 12, 2007 from 
http://www.publishers.org/copyright/ARA_paper.doc 

2. Band, J. (2006). The Google Library Project: The Copyright Debate. Retrieved Sep. 
12, 2007 from http://www. lirx.com/features/googlelibraryproject.htm 

3. Band J. (2006). The Google Print Library Project: Both Sides of the Story. Vol.1. (No. 
2).Retrieved Sep. 12, 2007 from http://www.plagiary.org/Google-Library-Project.pdf 

4. Cohen, Jason (2001). Endangered Research: The Proliferation of E-Books and Their 
Potential Threat to the Fair Use Clause. 9 J. Intell. Prop. 163, 170. Retrieved Sep. 12, 
2007 from Westlaw database. 

5. FAIR DEALING, “WikiReader: Free Software and Free Contents”. Retrieved Sep. 
12, 2007 from http://upload.wikimedia.org/wikipedia/en/a/a9/ WikiReader_Free_Soft- 
ware_and Free_Contents.pdf 

6. Google Print Renamed Google Book Search, Nov. 18, 2005. Retrieved Sep. 12, 2007 
from _ http://www.marketingvox.com/archives/2005/11/18/google _ print_renamed_ 
google book_search/ 

7. Hanratty, E. (2005), GOOGLE LIBRARY: BEYOND FAIR USE? 2005 Duke Law & 
Technology Review 10. Retrieved Sep. 12, 2007 from Westlaw database. 

8. Press Center, Google Checks Out Library Books, Dec. 14, 2004. Retrieved Sep. 12, 
2007 from http://www.google.com/press/pressrel/print_library.btml 

9. T. Sundara Rajan, M. (Dr.) Digital Learning in India: Problems and Prospects. Digi- 
tal Learning Legal Background Paper. Retrieved Sep. 12, 2007 from 
http://cyber.law.harvard.edu/home/dl_india. 


61 





From Sony Librié to Sony Reader and iLiad: The Begin- 
ning of the End? Legal Implications surrounding the 
eBook debate, Sony Reader and iLiad 


Dr. Dinusha Mendis 
Lecturer in Law 
Centre for Law, Information and Converging Technologies (CLICT) 
University of Central Lancashire 


Abstract. The Sony Reader is the latest single-user business 
model for eBooks and successor to its predecessor Librié. Together with 
its rival iLiad distributed by iRex Technologies (a spin-off company of 
Philips) these latest eBook Readers purport to revolutionise the act of 
reading with electronic paper and eInk with the Sony Reader boasting 
12,000 titles in its on-demand ‘CONNECT’ eBook Store. However, 
since these ‘cutting-edge’ reading devices hit the American market in 
2007, it has created a furore in the world of intellectual property and in- 
formation technology law. This paper will initially re-address the long- 
standing eBook debate and addresses the more complicated legal issues 
arising from these latest devices with particular reference being made to 
the Sony Reader. Plenty of attention has been lavished on the music in- 
dustry and online digital music distribution. Therefore it is the aim of 
this paper to explore a relatively unexplored area of the eBook Reader 
and the ‘paperless word’ which, without doubt, is one of the most use- 
ful technological developments of our time. Yet, if the endeavours of 
the eBook industry to lock-up the titles they release remain unchecked, 
a realisation of the fullest potential of eBooks will sadly be lost, unless 
alternative measures are taken. 


Biographical Notes: The author is a Lecturer at the University of Central Lancashire 
and is involved in the teaching of and research in Intellectual Property Law, amongst 
other areas of interest. She holds qualifications from the Universities of Aberdeen 
(LLB (Hons)) and Edinburgh (LLM; PhD) and qualified for the Bar of England and 
Wales (Middle Temple Inn) in October 2001. 


1. Back to the future: The progression of mobile-reader 
devices 


“The idea of computerised books — reading book-types of material from 
small, portable reading units — can be traced back in science fiction lit- 
erature over 50 years ago. Bova’s satirical science fiction novel Cyber- 
books, for example, looked at the impact of a new electronic book on 
the publishing industry” (Herther, 2005, p.45). The first application of 
this concept became a reality when in 1960, a Postgraduate student, 


63 


Alan Kay, introduced the Dynabook: “a portable interactive personal 
computer, as accessible as a book” (Kay, 1977, pp.31-44). 


There was a steady flow of development in this area from Kay’s introduction 
of the Dynabook in 1960 to the mid 1990’s when his vision was eventually re- 
alised with the ‘AppleNewton Message Pad’ the world’s first Personal Digital 
Assistant (Lever, 2007, p. 3). Unfortunately it was discontinued in 1998; yet 
it was during this year that eBooks and mobile reader-devices took on a dif- 
ferent shape. The first annual e-book Conference sponsored by the National 
Institute of Standards and Technology (NIST) and National Information Stan- 
dards Organisation (NISO) laid the groundwork for the development of an in- 
dustry group, the Open e-Book initiative, to address standards and other issues 
for this emerging product area (Op. cit., Herther, p. 47). The year 1998 also 
saw the arrival of ‘Palmpilots’, ‘Handspring Visors’ and ‘Pocket PCs’ to su- 
persede the AppleNewton Message Pad. Thereafter, bearing fancy names, a 
plethora of mobile reader devices hit the market from 1998-2004: Rocket 
eBook (1998 from Nuvomedia); SoftBook (1998, from SoftBook Press); 
REB1100 (mid 2000, from Gemstar eBook Group which acquired Nuvomedia 
and SoftBook Press) and Sony Librié (mid 2004, from Sony to Japanese mar- 
ket), to name a few. The mobile reader technology had slowly but surely taken 
shape. However, the robust beginning did not continue and coupled together 
with a very small and growing marketplace, the industry took on a more sub- 
dued path than expected. 

Before turning to consider these issues in-depth, some of the important con- 
cepts relevant to this paper will be defined and explained briefly, at this point. 


2. Defining some concepts and terminology 


Mention has already been made of dedicated hardware reader devices such as 
Gemstar REB1100 (former Rocket eBook), Gemstar REB 1200 (former Soft- 
Book) and Personal Digital Assistants (PDAs), such as Palmpilots, Handspring 
Visors and Pocket PCs. A third category, which will be considered in this paper, 
will be ‘hybrid devices’ such as Sony Librié, Sony Reader and iLiad which are 
more than just dedicated mobile readers. Surrounding these different reader de- 
vices is the issue of digital rights management, technological protection meas- 
ures and interoperability — terminology which is often confused and used 
interchangeably when referring to legal issues pertaining to technology. 
Digital Rights Management (DRMs) are “technologies describing and 
identifying digital content protected by intellectual property rights and enforce 
usage rules set by rights holders or prescribed by law for digital content” (Sel- 
lars; 2003, p. 5). DRMs protect content by ‘encrypting’ the file in which it is 


64 


contained and imposing rules relating to its use. It is a broad umbrella term 
which is used to refer to different types of technological protection measures 
which have been developed in the past few years to address the complex issue 
of protecting and managing Intellectual Property Rights (IPRs) in a digital en- 
vironment. 

Technological Protection Measures (TPMs), which has also been ap- 
propriately described as “This intellectual Property is Mine!” (Lever, 2007, p. 
8) falls under the umbrella of DRMs when coupled with restrictive standard 
form contracts. TPMs aim at prevention of breach of copyright (by erecting 
‘electronic fences’), rather than cure (by imposing punishment and sanctions) 
to protect the IPRs of creators. As will be discussed in the following pages, 
with reference to US and EU laws which promote TPMs, these technological 
measures have grown in to a body of laws which refer not to the exclusive 
rights of the copyright owner but to what the copyright owner is able to pro- 
tect through technology (Infra, pp. 7-9). 

The interoperability requirement particularly relating to mobile reader 
devices aims to standardise and enable the ‘inter-operation’ between file for- 
mats such as, amongst others, DRM-free text, Microsoft Word, Adobe PDF, 
Rich Text Format (RTF). Uniform open standards have been lacking to date 
with Microsoft Reader, Adobe Acrobat eBook Reader, Gemstar eBook and 
Palm Reader each attempting to promote their file format as the eBook stan- 
dard, despite the efforts of the Open eBook Forum (now known as the Inter- 
national Digital Publishing Forum) to reach agreement on a uniform format. 


Rising superstar to fallen angel? Main reasons for the down- 
fall of E-Book 


With a flurry of mobile-reader devices entering the markets during the 1990’s, 
questions were raised as to why the reading public had been slow to embrace 
eBooks? One of the reasons was that the eBook had not made much of an im- 
pact as the experience of reading on-screen had failed to live up to expectations. 
Over and above this concern, the eBook market was largely confined to home 
computers and PDAs for a considerable amount of time. Even after mobile- 
reader devices such as the Palm Reader became fashionable, the size of the de- 
vice screen remained an issue. With only six or seven lines per screen, 
consumers who preferred skim-reading or were just naturally very fast readers 
found the bite-sized pieces of text tedious and frustrating. (Burk, 2001, 329; 
Seadle, 2003, p. 390). Experience in the eBook industry further revealed that 
the complexities associated with mobile-reader devices went beyond the read- 
ing experience and a diminutive screen display. For example, PDAs were seen 


65 


to be engulfed in problems of file format as pointed out above — which had to 
match the eBook and reader software; downloading, installing and activating 
reader software and above all, pricing issues. 

At the 2006 eBook Survey conducted by the International Digital Pub- 
lishing Forum (IDPF), it was interestingly submitted that PDAs continue to be 
the preferred reader-device of choice (IDPF Survey 2006). At the same sur- 
vey, the following three observations, complemented by consumer remarks, 
highlighted the reasons why an inventive concept with high prospects, never 
reached its fullest potential. 


1. Pricing 


“Prices are still too high for eBooks. iTunes for example, prices music less 
than CDs but with eBooks the price is hardly less than a paperback. What’s re- 
ally ridiculous is charging hardcover prices for eBooks”. 


“E-books should NEVER be more than the paperback price and they should be 
cheaper (no paper, print, shipping)” (Op. cit., IDPF, p. 9). 


2. Lack of eBook Selection 


“I just want more books available. I understand that they need to be allowed 
by publishers and/or authors, but that’s what I want”. 


“Make MORE titles available!! My biggest complaint is that the books I want 
are never available!! This doesn’t make sense as ALL titles exist in electronic 
versions before they are committed to print...” (Ibid). 


3. Digital Rights Management issues and eBook formats 


“eBooks shouldn’t be tied to any particular eBook software. Why should I need 
multiple software programmes on my device in order to read eBooks? An open 
standard that allows users to responsibly move eBook content between differ- 
ent reader programmes and hardware easily would encourage broader use” 


“Get rid of DRM. The whole point of eBooks is you can read them anywhere 
and carry each and every one you ever got with you on any device you own. 
Closed formats and DRM are preventing that. I didn’t have to put up with that 
with paper books, so why do I have to put up with it now? (Op. cit., IDPF, p. 
10). 


These are some of sticky points which have dogged the eBook industry from 
reaching its anticipated success. Interestingly and unsurprisingly, the 2006 
Survey also drew attention to the fact that only four percent of the participants 
who regularly consume commercial eBook titles do so for use on dedicated 
reader devices, whilst a large proportion — seventy nine per cent — conceded that 


66 


mobile devices which also offer eBook-reader functionality such as PDAs were 
the reader device of their choice (IDPF Survey, 2006, p. 4). If this is a reflec- 
tion of the market and consumer choice, then what exactly do devices such as 
Sony Librié, Sony Reader and iLiad purport to do and how do they aim to be 
successful amidst the many issues DRMs, file-formats, lack of interoperabil- 
ity, display screens and high prices. Each of these devices will be considered 
in turn in an attempt to answer the above question. 


4. The Next Generation: From Sony Librié to Sony Reader 
and iLiad 


4.1. Sony Librié 


With mobile-reader devices such as Gemstar, Franklin and RCA gradually fad- 
ing away and ultimately disappearing from the market, Sony Librié, (and its re- 
cent successor, Sony Reader) did not only replace them, but proved to be more 
in keeping with the feel and functionality requirements of its users. Produced 
for the Japanese market, in April 2004 (and sold only in Japan) the Sony Lib- 
rié, unveiled an ingenious reflective screen and took mobile-reader devices to 
the ‘next generation’ with its eInk technology. Additionally, it supports up to 
7,500 continuous page turns on a single battery charge (four AAA Alkaline 
batteries) and offers its content on Broad Band eBook (BBeB) format (Pilato 
F., 2004). Equipped with a ‘qwerty’ keyboard the Sony Librié permits a lim- 
ited form of marginalia as well as a small roller wheel. Writing about Librié, 
during its period of infancy, it was described as “stunning” ... “the display looks 
so real, it appears as if it’s a sticker or printed on the screen” (makezine.com). 


For all such success, this swanky mobile-reader device of the 21st century is 
riddled with drawbacks. For example, it limits eBook titles to a maximum of 
four devices. It uses its own proprietary DRM technology on all titles available 
from their own download store, Publishing Link, a joint venture between Sony 
and a number of large Japanese publishers and printers. The bizarre conse- 
quence of this is that content from Publishing Link, expires and becomes un- 
readable after sixty days: in other words, its coded to lock up after sixty days. 
As J. Lytle in his article Nice ebook, shame about the DRM states: ‘...who in 
their right mind is going to buy books that simply evaporate after two months?’ 


Whilst Librié, was the first of its kind, it soon became clear, that many lessons 
had to be learnt to make it more appealing to the consumer and in turn make it 
a more user-friendly device designed to realise the fullest potential of the pa- 
perless word. 


67 


4.1.2 Sony Reader 


Eager to rectify the shortcomings of the Sony Librié, the Sony Reader offers 
an indefinite shelf life for titles purchased, thereby doing away with the sixty- 
day lock up (and also the ‘qwerty’ key board). The Sony Reader supports the 
file formats of TXT, RTF, PDF (unencrypted); BBeB (encrypted and unen- 
crypted); JPEG, GIF, BMP, PNG, MP3 (unencrypted); and AAC (unencrypted). 
In terms of DRMs, the DRM rules allow any purchased eBook to be read on 
up to six devices (at least one of those six being a personal computer). It uses 
an electronic paper display developed by e-Ink Corporation and the reader is 
able to purchase books from Sony's CONNECT eBook store. Although the de- 
vice does not officially support Linux Operating Systems, users can use the 
free software library and utility libprs500 written by Kovid Goyal 
(http://en.wikipedia.org/wiki/Sony_Reader). In many ways, the Sony Reader — 
the latest and chic eBook reader — was a definite step-up from its predecessor. 


The Sony Reader was first launched in September 2006 and entered the US 
market in April 2007, and very recently on 2 October 2007, an updated version 
of the Reader (PRS-505) was released. Not long after it first emerged in the 
US market in 2006, Sony was asked a number of questions about its latest de- 
vice; of which some answers raised cause for concern (Makezine, 2006, p. 2- 
4). One of the questions put to Sony was whether the Reader permits the 
sharing of books? In response to the first question, Sony answered that: “al- 
though you cannot share purchased eBooks on other people’s devices and ac- 
counts, you will have the opportunity to register five Readers to your account 
and share your books accordingly” (Ibid). 


Secondly Sony was asked about consequences in the event of a broken or faulty 
device: whether DRM-protected content can be moved to a replacement ma- 
chine? In response to this question, Sony stated: “if the Sony Reader or your 
PC breaks, you can always log-in to your CONNECT account and ‘re-down- 
load’ your purchased eBooks to a new PC, and transfer them again to a new de- 
vice, as long as the six device rule still holds true” (Ibid). 


When asked why Sony sells books, Sony answered: “we want to offer our cus- 
tomers an integrated and easy-to-use experience. Developing a Sony-managed 
download services (BBeB) accessed from within the desktop PC application 
was a key aspect of offering this integrated experience” (Ibid). 


At first blush, it appears that the Sony Reader has indeed met all the short- 
comings of Sony Librié, and has produced a device which can finally reach 
the fullest potential in the eBook and mobile-reader device era, with increased 
interoperability with other file formats, indefinite shelf-life and weaker DRM. 
However, reading between the lines, unravels a different story. Although the 


68 


Sony Reader can certainly lay claim to increased interoperability, the reality is 
that the BBeB format will remain the Sony Reader’s preferred format of choice. 
In fact Sony goes on to recommend “using the CONNECT Reader Software to 
import and transfer files to the Reader, as it will enable faster page turns and 
re-sizing on the Reader itself. We have also included the ability to import Mi- 
crosoft Word files to the device. The CONNECT Reader will convert the Word 
document to RTF during the import process as long as the user has Microsoft® 
Word on the PC” (Ibid). 


It is submitted that in other words, what this means is that the most effective 
and fast method of using this device (the speed of turning pages being a sig- 
nificant factor to the reading experience) is best supported by BBeB although 
other formats are also available. Whilst their existence may prove to be ad- 
vantageous in theory, in practise, it may not prove to be as effective. Fur- 
thermore, whilst the Adobe PDF format is still without doubt, the format choice 
for desktop eBooks, when used on the Sony Reader an Adobe PDF will be 
scaled to fit on the screen and that in most cases compromise the experience 
of reading (Makezine Blog, August 2006). On the other hand, The Count of 
Monte Cristo by Alexander Dumas which can be accessed for free on Google 
Book Search (formerly known as Google Print) or Project Gutenberg with the 
possibility of using search tools to root out key words, passages etc., costs $2 
on the Sony CONNECT bookstore with the price going up to $4.40 depending 
on the publisher of the book. Microsoft, however, has launched a scathing at- 
tack on Google saying the search giant’s rival book-scanning service “sys- 
tematically violates copyright” (BBC News, Microsoft attacks Google on 
books, 07/03/2007). Surely this does not apply to the aforementioned book or 
books such as The Complete Works of Shakespeare which fall in to the cate- 
gory of out-of-copyright classics? These books are out of copyright: so they 
can’t breach copyright law, they are in the public domain! Yet, the mainstream 
press appears to have missed the market for mobile-reader devices completely, 
assuming the fullest realisation of the electronic titles made freely available is 
either through our PC screens or on carbon-copy print outs. As Lever points 
out in his article, such practice, can mean that Sony CONNECT may not only 
be pricing themselves out of the market for such publications, it may also prove 
guilty of directing potential movement of eBooks away from a largely pub- 
lishing and computer orientation, into the world of consumer electronics 
(Lever, 2007, p. 7). 


4.1.3 The iLiad 


The iLiad, almost identical to the Sony Reader is a competitor product which 


69 


was officially launched in July 2006, before an update to the existing device 
was released in September 2007. Designed and produced by iRex Technolo- 
gies the iLiad is capable of displaying document files in a number of formats, 
among them PDF, XHTML and plain text. In addition it has the largest screen 
of existing e-Ink products and since 3 May 2007, the iLiad has been compati- 
ble with Mobipocket Reader (a universal reader for PDAs) thereby offering a 
secure reading system as a result of the encryption of eBooks. Unlike the Sony 
Reader which is sold solely in USA, iLiad is offered in both USA ($699) and 
Europe (€649). iLiad is able to run third party applications created for it and 
can officially support Linux Operating System. This means that developers 
and users wishing to create or run third party application can request ‘shell’ 
access from the manufacturer (iLiad Product Page, 


http://en. wikipedia. org/wiki/ILiad). 


Enhanced with features similar or in certain cases better than the Sony Reader, 
the question which remains to be addressed is whether these reading devices 
are the beginning of something special or the end of users’ rights — in the face 
of laws which attempt to ‘lock-up’ the literary world, particularly the WIPO In- 
ternet Treaties 1996, the Digital Millennium Copyright Act (DMCA) 1998 and 
the EU Information Society Directive 2001. 


The second part of this paper will involve a discussion of the law and issues. 


5. Sony Reader and iLiad v. The Law 


At the time the concept of the eBook evolved, the content format goals were 
laudable and simple: “create an eBook equal in readability to paper books; pre- 
serve e design and aesthetics; allow a quick translate from publisher’s pre- 
press to the eBook format; and get eBooks out to retailers at the same time as 
the hardcopy book” (Coyle, 2001, 318). In the same vein, the goals for copy- 
right protection and distribution whilst being equally laudable were also am- 
bitious: to prevent piracy; permit lending and giving yet make sure that one 
sale resulted in only one copy in circulation; perform royalty tracking; allow 
fair use copying and library conservation activities. Have these goals been 
met? Possibly yes, as a result of, stringent laws being introduced on both sides 
of the Atlantic, at the detriment of the public’s privileges in the digital age. 


5.1 The WIPO Internet Treaties and the EU Copyright Directive 
During the negotiations leading up to the finalisation of the WIPO Copyright 


Treaty 1996 (hereinafter WCT), the focus was on the technologies, which 
might facilitate circumvention rather than the act of circumvention. However, 


70 


this suggestion was criticised as this would have allowed the copyright owner 
to prevent any access to a work and so the end product at the close of the ne- 
gotiations was to draft a provision focusing on the act of circumvention, and 
not the technologies per se. Article 11 of WCT reads as follows — “Contract- 
ing Parties shall provide adequate legal protection and effective legal redress 
against the circumvention of effective technological measures that are used by 
authors in connection with the exercise of their rights under this Treaty of the 
Berne Convention and that restrict acts, in respect of their works, which are not 
authorised by the authors concerned or permitted by law”. The wording clearly 
does not refer to access and gives the impression that it prohibits circumven- 
tion, which assists in the reproduction of a work, which has not been ‘autho- 
. rised by the authors concerned or permitted by law’. This in turn appears to 
imply that circumvention of a technological measure in order to gain access to 
a work, or parts of a work, in the public domain might be permissible because 
the work is not protected by copyright, or can be used without permission of 
the owner of the copyright. 

There have been concerns expressed that the effect of Article 6 of the 
EU Information Society (hereinafter InfoSoc) Directive is effectively to shift 
copyright protection from law to technology (Perritt, 2003, p.2). Article 6(2) 
is an anti-trafficking provision. It provides that “Member States shall provide 
adequate legal protection against the manufacture, import, distribution, sale or 
rental, advertisement for sale or rental, or possession for commercial pur- 
poses” of decryption technology that is promoted, advertised or marketed for 
the purpose of circumvention of technological locks; has only a limited com- 
mercially significant purpose other than to circumvent such a technological 
lock; or is primarily designed to circumvent such a technological lock. There 
is no knowledge requirement. This provision is almost verbatim to the traf- 
ficking provisions in Digital Millennium Copyright Act 1998 (DMCA) dis- 
cussed below. 

The InfoSoc Directive set out the initial scope of the protection to be 
afforded TPMs as defined in Article 6(3), which goes on to define “technical 
measures” and when they shall be deemed “effective”. Séverine Dusollier tak- 
ing a sceptical view on this Article states: “one could not dream of a better tau- 
tology: obviously since the right holder has decided to technically protect an 
act of use related to his or her work, it means that he or she was willing not to 
authorise such an act. Any TM is then addressed by the EU anti-circumven- 
tion protection” (Dusollier, 2005, p.203). 

Over and above this concern, is a further concern — new laws which 
makes circumvention of technological measures unlawful, do not expire but 
can be replaced by more secure and advanced technology and therefore such 
technological measures may also be used to effectively extend the life of the 


71 


copyright further than that offered by law, namely, life of the author plus 70 
years. In view of the above arguments, it is the writer’s opinion that articles 
6 & 7 provides for the ‘right holder takes all situation’ and goes against the en- 
tire grain of Recital 31 of the InfoSoc Directive. Recital 31 states — “A fair bal- 
ance of rights and interests between the different categories of right holders, as 
well as between the different categories of right holders and users of protected 
subject-matter must be safeguarded . . .” 

5.1.2 The US Digital Millennium Copyright Act 1998 


Under the Digital Millennium Copyright Act 1998 (hereinafter DMCA 1998), 
Section §1201 (a) (1) prohibits direct circumvention of access and control de- 
vices. Thus this anti-circumvention provision makes it illegal to “circumvent 
a technological measure that effectively controls access to a copyright work. 
Secondly, section §1201 (a) (2) prohibits trafficking in technology primarily de- 
signed to circumvent access control devices. Thirdly, section §1201 (b) (1) pro- 
hibits trafficking in technology primarily designed to circumvent copy control 
devices. These two anti-trafficking provisions -§1201 (a)(2) and §1201 (b)(1) 
— basically prohibit any person from manufacturing, importing, offering to the 
public, providing or otherwise trafficking in decryption technology that is pri- 
marily designed to circumvent technological locks; or is marketed for use in 
circumventing such a technological lock. 

Implications of the DMCA’s trafficking provisions have been the cen- 
tral claim in cases such as Felten v. Recording Industry Association of Amer- 
ica. In this case, Professor Edward Felten in the United States was threatened 
with legal action by The Recording Industry Association of America (RIAA). 
On 09 April 2001, RIAA in conjunction with the Secure Digital Music Initia- 
tive (SDMI) sent a letter to Professor Felten of the Department of Science at 
Princeton University threatening legal action if Professor Felten published re- 
sults of his academic research. After months of discussion, RIAA dropped the 
charges and later denied that their letter to the researchers was a threat. 

The major difference between the InfoSoc Directive and the DMCA 
1998 lies in Article 6(4) of the Directive which is designed to address the dif- 
ficulties faced by the beneficiary of a copyright exception who is restricted 
from making use of that exception when the content is protected by TPM. Ar- 
ticle 6(4) only applies to the anti-circumvention proscriptions of Article 6(1) 
and — similar to the DMCA — does not extend to the anti-trafficking prohibi- 
tions of Article 6(2). Thus the position of the InfoSoc Directive regarding ac- 
cess control devices are really the same as that of the DMCA — and even more 
rigorous as Terese Foged points out (Foged, 2002, p. 537). 


72 


6. What do these laws mean for eBooks and Mobile-reader 
devices such as Sony Reader? 


First and foremost, it is important to re-iterate that copyright law exists to pro- 
tect expression, not ideas. Professor Raymond Irwin who was the Head of the 
University College London School of Librarianship & Archives (now known 
as School of Library, said at an inaugural lecture that the principal agent in the 
production of a book is, of course, its writer or author. His literary offspring 
are always the result of a marriage between his own mind and the communi- 
cated experience of other minds, either contemporary or in past time. And 
since this communicated experience is, in the main, received through the 
medium of books, the conception and birth of the new book commonly takes 
place upon the building of existing ideas. As such, Irwin’s lecture makes it 
clear that ‘reproduction’ is a necessary tool for the development of literary so- 
ciety (Irwin, 1957, p. 4). 


Yet the possibility of ‘building’ upon existing works is proving to be increas- 
ingly difficult in the digital age with literary works being locked up. The anti- 
circumvention measures are the most interesting battlefield between the 
traditional vision of copyright law and the dictates of technology. The scope of 
copyright is no longer decided according to what the proper scope should be, 
but according to what the technology can do. Laws introduced in USA and 
EU as illustrated above, preclude use that is not authorised by the copyright 
owner as well as use which is authorised b the law. 


A striking consequence of these laws was seen in the cases of U.S. v Sklyarov 
and U.S. v ElcomSoft Co. Ltd (2002). In this case, a Russian programmer 
Dmitry Sklyarov, an employee of ElcomSoft was arrested in 2001 when he 
was attending a conference in Las Vegas for allegedly trafficking in software 
which could circumvent the technological protection on certain eBooks. It was 
held (somewhat confusingly) that whilst it was the clear intention of Congress 
to impose a blanket ban on all trafficking in circumvention devices and that 
such a ban was unconstitutional, in doing so the DMCA does not eliminate fair 
use. 


In the preceding pages, an example was given relating to the book, Count of 
Monte Cristo by Alexander Dumas which can be accessed for free on Google 
Book Search but has to be bought on the CONNECT eBook store. Lever ar- 
gues that ‘freedom of information must never be conflated with freedom from 
expense’ (see, Lever, 2007, p. 10). At the same time, low overheads and col- 
laborative capabilities in particular facilitates the dissemination of works on- 
line through mediums such as Google Book Search and Project Gutenberg. In 


73 


contrast, high over heads, high consumer prices of both the hardware and soft- 
ware relating to mobile-reader devices, takes away freedom of information and 
with it ‘locks up’ the paperless word, an integral part to literary creation and de- 
velopment. 


Furthermore, it is notable that where traditional copyright law provides fair 
use or fair dealing and first sale rights as defaults, DRMs take just the oppo- 
site approach: anything not explicitly permitted is forbidden! This necessar- 
ily shifts the balance between the copyright holder and the public in favour of 
the copyright holder, thereby permitting computer code to regulate behaviour 
and rule over the legal code. In relation to eBooks and mobile-reader devices, 
eBooks become a means by which copyright holders can essentially take the 
law into their own hands (Coyle, 2001, p. 321). 


One of the copyright goals in relation to eBooks was to ensure that that one sale 
resulted in only one copy in circulation. Does this mean that if a library has 
fifty readers and if one of these readers wants to use a book, which is currently 
not in use, the reader will have to wait until the fiftieth reader has returned the 
book, if that is the reader for which the title has been registered? It is simply 
ridiculous. Sony Reader does attempt to get around this by stating that “al- 
though you cannot share purchased eBooks on other people’s devices and ac- 
counts, you will have the opportunity to register five Readers to your account 
and share your books accordingly”. Even so, it is submitted that this is not re- 
ally sharing, in the sense that it is known in the analogue world, where books 
are shared by not just five people, but easily by fifty people or even hundreds 
in a library. 


The Association of American Publishers, working with Andersen Consulting, 
released a 66 page document entitled Digital Rights Management for E-books: 
Publisher Requirements, detailing key DRM requirements book publishers will 
be seeking from DRM vendors in the future. On the topic of sharing/lending, 
the document details: Consumers should be able to lend an eBook to someone 
just as they can do with a paper book. As with a paper book, once the eBook 
is lent to someone else, the original consumer does not have access to the book 
content until the book is returned. Lending should not require that the eBook 
content actually transfer to the new recipient. It should be possible to disable 
access on the first consumer’s reader and enable access on the second con- 
sumer’s device, resulting in a greater range of sharing. 


However all does not seem lost: as pointed out above, the iLiad supports Linux 
Open Access Operating Systems and in the context of this paper this has got 
to a piece of news which is welcome? The iLiad runs a 2.4 Linux kernel, and 
provides MyScript handwriting recognition software for the device. iRex states 


74 


that upgrades to their Linux software will be made available through the Irex 
Delivery System (IDS) and that it will be possible to use the mobile-reader de- 
vice as a USB on PCs. Herein is the catch: only companies partnering with 
iRex will be able to develop third party tools for the reader! Given how Nokia 
is successfully using open source to give its gadgets (for example, Nokia 770) 
a first-mover advantage in the fiercely competitive consumer electronics mar- 
ket, it’s discouraging yet unsurprising that iRex would want to restrict access 
to the software development of its reader (TeleRead Blog, 2007). As expected, 
advertised as a product which supports open-access, ultimately the iLiad has 
its hitch of locking up its systems (see also iLiad Corporate Blog, maintained 
by iRex at http://i-to-i.irexnet.cony). 


7. Conclusion 


Whilst the likes of Sony Reader and iLiad have come a long way since previ- 
ous mobile-reader devices with increased interoperability, indefinite shelf life 
etc more can still be done. Mobile-reader devices may indeed be an idea whose 
potential has largely been realised with the birth of the Sony Reader and iLiad, 
but, hardware and software developers and also publishers must rethink the 
eBook pricing models and usability issues if they wish to offer a product that 
a consumer will truly be attracted to. The aim should be to disseminate a range 
of electronic formats and if this goal can be met, the Sony Reader could attain 
‘nirvana’ in the world of eBooks and mobile-reader devices as the eBook 
Reader equivalent of Apple’s iPod: a device capable of supporting multiple 
file formats, backed up by an on-demand commercial store. Before this dream 
can be realised, the Sony Reader has to address issues of access and use, shar- 
ing of titles, pricing of hardware and software interoperability issues and strin- 
gent DRM. Furthermore, may be it is time for mobile-reader devices to 
embrace projects such as Gutenberg and Ebooks.org, the latter which is a non- 
commercial repository of information related to e-book research and products. 
Their mission is to encourage the sharing and analysis of ideas surrounding e- 
book reading appliances to create an accurate understanding of their possibil- 
ities and limitations. This is a start in attempting to break down the ‘electric 
fences’. It is submitted that eBooks and mobile-reader devices should build on 
this initiative and adopt this non-commercial repository in to their eBook stores 
such as CONNECT, thereby permitting the sharing of information for educa- 
tional purposes. If not, the Sony Reader and iLiad, like their predecessors 
may prove to be an expensive toy, which has access to a very limited selection 
of titles and with stringent DRMs, may prove to be nothing more than a com- 
muter fad at best. 


75 


References 


A. 


Legislation 


WIPO Copyright Treaty (WCT) 1996 

WIPO Performances and Phonograms Treaty (WPPT) 1996 
Digital Millennium Copyright Act 1998 

EU Information Society Directive 2001/29/EC 


Cases 


Felten v. Recording Industry Association of America Filed June 6, 2001, in the U.S. Di- 
strict Court for the District of New Jersey, Case no. 01 CV 2669 
U.S. v Sklyarov and U.S. v ElcomSoft Co. Ltd N.D. Cal., No. CR-01-020138RMW 5/8/2002. 


C. 
1. 


Books/Journal Articles/Reports 


American Publishers Association, (2000) Digital Rights Management for E-books: 
Publisher Requirements, Retrieved 25 October 2007 from http://publishers.org/digi- 
tal/drm.pdf 


BBC News, Microsoft attacks Google on books, 07/03/2007, Retrieved 22 October 
2007 from http://news.bbc.co.uk/1/hi/business/6422471.stm 


Burke R., (2001) E-book devices and the marketplace: in search of customers Library 
Hi Tech vol. 19, no. 4 pp. 325-331 


CONNECT eBook store, Dumas A., Count of Monte Cristo, Retrieved 7 October 2007 
from _http://ebooks.connect.com/product/400/000/000/000/000/05 1/622/40000000 
000000005 1622.html 


Coyle K., (2001) Stakeholders and standards in the e-book ecology or, it’s the econo- 
mics, stupid! Library Hi Tech vol. 19, no. 4 pp. 314-324. 


Dusollier S., (2005) Technology as an imperative or regulating copyright: from the pu- 
blic exploitation to the private use of the work European Intellectual Property Review 
vol. 27, no. 6 pp. 201-204 


Dusollier S., (1999) Electrifying the Fence: The Legal Protection of Technological 
Measures for Protecting Copyright European Intellectual Property Review p. 285-29. 


EBook User Survey 2006, International Digital Publishing Forum, Retrieved 22 Octo- 
ber 2007 from http://www.idpf.org/doc_library/surveys/IDPF_eBook_User_Su- 
rvey_2006.pdf 

Foged T., (2002) US v EU anti circumvention legislation: preserving the public’s pri- 


vileges in the digital age? European Intellectual Property Review vol. 24, no. 11 pp. 
525-542. 


- Google Book Search, Retrieved 22 October 2007, from http://books.google.com/ 
. Gutenberg Project, Retrieved 22 October 2007, from http:/Awww.gutenberg.org/wiki/ 


Main_ Page 


. Herther N. K., (2005) The e-book industry today: a bumpy road becomes an evolutio- 


nary path to market maturity The Electronic Library vol. 23, no. 2 p. 45-34. 


. i to i Blog: Two way communication with iRex, Retrieved 27 October 2007 from 


http://i-to-1.irexnet.com/ 


76 


17. 


18. 


19. 


20. 


21. 


22: 


23. 


24. 


25. 


26. 


27. 


28. 


. iLiad Product Page, Retrieved 15 October 2007 from http://en.wikipedia.org/ 


wiki/ILiad 


. Irwin R., (1957) The Golden Chain: A study in the history of libraries — An Inaugural 


lecture delivered at University College London, 21 November 1957 (London: H.K. 
Lewis & Co Ltd.; 1957) 


. Kay A., & Goldberg A., (March 1977) A Personal Dynamic Media Computer vol. 10, 


no. 3 pp. 31-44 

Lever C., (2007) A Scissor-less, Paperless, Tome: Business, Law and Libraries — the 
eBook and Mobile Reader Debate, BILETA Conference 2007, Retrieved 20 October 
2007 from http://bileta2007.co.uk/papers/images/stream_9/LeverC.pdf 

Lytle J., (2004) Nice ebook, shame about the DRM Personal World Computer, Re- 
trieved 10 October 2007 from http://www.vnunet.com/personal-computer-world/ 
news/2043236/nice-ebook-shame-drm 

Makezine, Sony Responds to our Sony Reader questions, Retrieved 10 October 2007 
from http://www.makezine.com/blog/archive/2006/08/sony_responds_to_our_ sony_ 
read. html 

Makezine, Retrieved 10 October 2007 from http://www.makezine.com/blog/ar- 
chive/2005/06/sony_librie_hac.html 

National Institute of Standards and Technology, Retrieved 20 October 2007 from 
http://www.nist.gov/ 





National Information Standards Organisation, Retrieved 20 October 2007 from 
http://www.niso.org/ 

Perritt J., (2003) Protecting Technology over Copyright: A Step Too Far 14(1) Enter- 
tainment Law Review vol. 14, no. 2 pp. 1-4 

Pilato F., (2004) Sony LIBRIe — The first ever E-Ink e-Book Reader, Retrieved 18 
October 2007 from http://www.mobilemag.com/content/100/333/C2658/ 

Seadle M., (2003) Mental models for personal digital assistants (PDAs) Library Hi 
Tech vol. 21, no. 4 pp. 390-392. 

Sellars C., (2003) Digital Rights Management Systems: Recent European Issues En- 
tertainment Law Review vol. 14, no. 1 pp. 5-9 l 

Sony Reader Home Page, Retrieved 15 October 2007 from http://products.sel. 
sony.com/pa/prs/index.html 

TeleRead, Bring the E-Books Home, Retrieved 27 October 2007 from http://www.te- 
leread.org/blog/?p=4287 


77 


Safe Harbor Provisions of Chinese law: 
How Clear Are Search Engines from Liability? 


Huaiwen He 


PhD Candidate of Law 
Law School of Peking University 
pkubhw@gmail.com 


Abstract: Chinese safe harbor provisions are interweaved with 
civil law rules with regard to copyright infringement. The Regulation on 
the Protection of the Right of Communication through Information Ne- 
twork should have provided a circumspect and uniform “safe harbor” 
for search engines. But the judgment in JFPI v. Yahoo! China under 
the new regulation removed the intended protection accorded by the 
law to Search Engines. This case, which was appealed and is under ap- 
peal, raise serious questions concerning legal certainty.This exemplary 
case reveals that the combination of an underdeveloped tort law system 
with different safe harbor provisions belonging to different legal instru- 
ments commands careful interpretation of the law so that legal certainty 
could be preserved. This article carefully examines the existing safe 
harbor provisions under the Chinese law system , indentifies and analy- 
zes the errors in applying the law in the Yahoo! China case. This paper 
will show that future judiciary interpretation or legislative effort is ne- 
eded to legal ambiguities and lacuna in the law. 


Keywords: search engine, safe harbor, digital copyright, joint liability, red flag 


1. Introduction 


Chinese law has run rather a long way in responding to the challenges posed 
by the digital technology to copyright protection. When the Internet was 
emerging as an important media in China at the beginning of 21* century, the 
Chinese Supreme Court issued in 2000 the Judiciary Interpretation concern- 
ing Law Application in Adjudicating Copyright Disputes Related to Computer 
Network (hereafter referred as “Judiciary Interpretation for Digital Copyright”). 
Following that, the Copyright Law of People’s Republic of China recognized 
in 2001 the right of communication through information networks, i.e., the 
right to communicate to the public a work, by wire or wireless means, in such 
a way that the public may access the works thus communicated from a place 
and at a time individually chosen by them. In continuing this development, the 
Administrative Measures to Protect Copyright Related to Internet (hereafter 
referred as “Administrative Measures for Digital Copyright”) was promulgated 
in 2005. Notably, on July 1st, 2006, a landmark instrument came into force, 


79 





that is, the “Regulation on the Protection of the Right of Communication 
through Information Network” (hereafter referred as “RCIN Regulation’). 
Later in the same year, the Judiciary Interpretation for Digital Copyright 2000 
was revised accordingly. 

Questions arise as to how dangerously Internet Service Providers are 
exposed to copyright infringement with the strengthening of the digital copy- 
right protection. In fact, copyright protection is not the only objective of these 
legal provisions. Instead, digital copyright is approached in a balanced way, 
and influenced by other legislations, such as the United States Digital Millen- 
nium Copyright Act (hereafter referred as “DMCA”), the European Union Di- 
rective on the Harmonization of Certain Aspects of Copyright and Related 
Rights in The Information Society and the Directive on Certain Legal Aspects 
of Information Society Services, in Particular Electronic Commerce. Not sur- 
prisingly, the safe harbor provision is an important part of China’s digital copy- 
right law. 

However, there is very little academic discussion about the Chinese “safe 
harbor” provisions, let alone those applicable to search engines. It was as- 
sumed that China had already put in place sound safe harbor provision for 
providers of hyperlinks and location tools. 

But this view disappeared with the recent judgment rendered by the 
Beijing Second Intermediate People's Court on 10th April 2007 in the IFPI v. 
Yahoo! China ['], which held that Yahoo! China has clear responsibility for re- 
moving all links to the infringing tracks on its service and is liable for aiding 
other persons in online copyright infringement, in contradiction of Article 23 
of the Regulation on the Protection of the Right of Communication through In- 
formation Network. This case has serious repercussions for search engines lo- 
cated in China as this could force Chinese search engines to be the most 
overzealous engines of the world in disabling or removing content and en- 
couraging copyright holders to be more generous than ever in sending un- 
qualified warning across Chinese cyberspace. 

To fully understand the legal and reasonable scope of search engine’s 
liability and the legal ramifications of the Yahoo ruling , this paper will ex- 
amine the safe harbor provisions For this purpose, the first section of this paper 
examines the Chinese provisions for deciding joint liability for search engines; 
the second section discusses the “safe harbor” provisions in the Regulation 
RCIN, the Judiciary Interpretation for Digital Copyright and the Administra- 
tive Measures for Digital Copyright. The third section addresses the law ap- 
plication issues in the Yahoo! China case. Finally, the fourth section concludes 
that China needs to supplement and harmonize the current safe harbor provi- 
sions. 


80 


2. Joint Infringement and Joint Liability for Search Engines 


Search engines are information location tools. In general, Search engines do 
not upload and make infringing content available to the public. Thus, they 
could not be held liable for direct copyright infringement. Indirect or second- 
ary infringement, however, could not be imputed to them under current Chinese 
law, as there is no specific legal provision for indirect or secondary infringe- 
ment, neither in the Chinese civil law nor in copyright law. There are limited 
provisions for joint tort or infringement, however. The foundational provision 
in this respect is the Article 130 in General Principles of the Civil Law of 
P.R.C., issued in 1986, which states, “If two or more persons jointly harm an- 
other person's rights and cause damages to him, they shall be liable jointly.” 

To adapt to the digital environment, the Supreme Court promulgated the 
Judiciary Interpretation for Digital Copyright in 2000. Under Chinese law, 
search engines can be held liable on the grounds of joint infringement. The Ar- 
ticle 4 thereof (also the Article 3 of Interpretation 2006) provides that where an 
Internet Service Provider participates in other persons’ infringing activity via 
internet, or aid and abet others to infringe copyright via the internet, the Peo- 
ple’s courts shall, according to the Article 130 in General Principles of the Civil 
Law of P.R.C., hold the Provider jointly and severally liable with the persons 
who are directly or indirectly involved in the infringement. 

It should be noted here that all of the above clauses does not mention 
anything about the knowledge or awareness standard to be applied. Rather, 
they only provide that the persons who jointly harm others’ right shall bear li- 
ability jointly and severally. Therefore, judges could only refer to the liability 
principles behind Article 130, except where the law explicitly provides other- 
wise. It might provoke debate as to what extent such doctrine should be ap- 
plicable to a search engine facing a charge of joint infringement. This point 
will be addressed later. 


3. Safe Harbours for Search Engines 


Within Chinese law system, there is no uniform “safe harbour” provision for 
search engines. Instead, there are different kinds of safe harbour provisions, 
belonging to the Regulation RCIN, the Judiciary Interpretation for Digital 
Copyright and the Administrative Measures for Digital Copyright, with dif- 
ferent legal effect. 


3.1. Safe Harbour under the Regulation RCIN 


The Regulation RCIN should not be regarded a “regulation” as such. It does 


81. 


not concern itself with governmental intervention as the Administrative Meas- 
ure for Digital Copyright. Instead, it supplements and implements the Chi- 
nese Copyright law’s provision for the right of communication through 
information networks. This regulation may be enacted by the National People's 
Congress or its Standing Committee. This regulation was promulgated by the 
State Council; and according to the Chinese law system, the courts shall com- 
ply with regulations when adjudicating related disputes. 

Article 23 of Regulation RCIN is the Chinese “safe harbor” for search 
engines. It provides that when a provider of search or link service, upon receipt 
of a notification from a right holder, takes down links to allegedly infringing 
works, performances or sounding/ video recordings, he shall not be liable for 
monetary liability; but if he knows or should know that the content linked in 
question is infringing, he shall be held for joint and several liability. 

This safe harbor differs from DMCA §512(d). Firstly, the DMCA pro- 
vision does not require a Notification Take-down procedure. However, from 
the plain language of the Article 23, it applies only where a notification is pres- 
ent. It is unclear here whether a copyright holder is obligated to make notifi- 
cation in order to enforce his rights. This point is addressed by the Judiciary 
Interpretation for Digital Copyright, which will be discussed in the succeed- 
ing section. Second, §512(d) sets forth a knowledge standard different from 
that in the traditional decision of infringement, by providing that a service 
provider can be protected by the safe harbor if he “does not have actual knowl- 
edge that the material or activity is infringing”, or, “in the absence of such ac- 
tual knowledge, is not aware of facts or circumstances from which infringing 
activity is apparent”, or, “upon obtaining such knowledge or awareness, must 
act expeditiously to remove, or disable access to, the material.” Article 23, 
however, with the term of “know or should know” does not clearly distinguish 
itself. Thirdly, the§512(d) includes the vicarious liability rule by conditioning 
limitation of liability on the fact that the service provider “does not receive a 
financial benefit directly attributable to the infringing activity, in a case in 
which the service provider has the right and ability to control such activity.” 
Article 23 has no such provision. Nevertheless, this does not mean that Chi- 
nese law will condone such deed. It is likely that, in the case where the com- 
bination of reception of a financial benefit directly attributable to the infringing 
activities and the fact that the service provider could have controlled the ac- 
tivities is sufficient to prove that he should have known the infringing activi- 
ties. Finally, the §512(d) limits both monetary and injunctive relief. Article 23, 
however, only concerns itself with monetary liability and states nothing about 
injunction. 

Article 23 should be interpreted in the following context. The term “no- 





- 82 


tification” of the Article 23 is defined by the Article 14, which requires that a 
“notification” sent by a right holder shall contain: (1) the name, address and 
contact information of the right holder; (2) the name and location of the in- 
fringing works, performance, sounding/video recording which are requested 
to be deleted or to which the links are to be disabled; and (3) prima facie evi- 
dence for infringement. In short, a simple communication sent to a provider 
that includes only information about copyrighted works, claiming generally 
that the intended recipient provides storage of or links to content infringing 
the copyrighted works, shall not be eligible as a “notification”. Since Article 
14 provides no mechanism for a right holder to cure a defective notification, 
receipt of such a notification should bring about no obligation on the recipient. 

Caution should be taken in interpreting the “but-if” clause of Article 23. 
From the plain language of this article, the “but-if’ clause makes an exception 
to the limitation of liability based on the Notification Take-down procedure. 
This proviso should mean that even if a service provider took down allegedly 
infringing content upon receipt of a notification, the right holder sending the 
notification could still successfully hold the provider liable if he can establish 
that the provider knew or should have known that the content linked in ques- 
tion was infringing. It is arguable that in the absence of notification, Article 23 
is just not applicable. 

The knowledge standard here, however, shall be subject to strict inter- 
pretations. On the one hand, the “but-if clause builds an exception for the 
safe harbor. It is legally logical that all exceptions shall be clearly defined. 
Otherwise, exception would usurp the norm. Likewise, a broad interpretation 
of the term “know and should know” could subvert the safe harbor designed 
by the framer of this Regulation. On the other hand, Article 23 is a provision 
concerning the limitation of liability and is not a rule to determine the condi- 
tions for infringement. If the term “know and should know” implies the same 
knowledge standard as that used in evaluating whether acts constitute joint in- 
fringement, the Notification] Take-down procedure designed is rendered 
meaningless: No limitation on liability could be possible. 

The knowledge standard applicable in the Article 22[?], similar to Arti- 
cle 23, should follow the same reasoning thread. According to Article 22, one 
condition for a service provider of information storage to be exempted from 
monetary liability is that he “does not know or have no reasonable grounds to 
know that the works, performances, sounding/video recordings supplied by the 
client are infringing.” In the author’s point of view, “know or have reasonable 
grounds to know” means the same as “know or should know” of the proviso 
within the Article 23. Without “reasonable grounds” presented, the duty of 
care “should know” shall not be imposed. Furthermore, the Regulation makes 


























83 


no indication that “to have reasonable grounds to know” shall be distinguished 
from “should know”; nor is there any such provision in Chinese law system. 
The DMCA§512(c) and (d) are closely similar, with the U.S. law treating In- 
formation Residing on System or Network and Information Location Tool 
alike. The essence of Article 22 and 23 should be alike. It is clear that the dif- 
ference in the wording of the two articles reflects their different physical func- 
tions. Consequently, it is logical and pragmatic for the Regulation to treat 
providers of information storage and location equally by requiring equal duty 
of care. Therefore, the Yahoo! China case can mean as much to information 
storage service as to information location service. The interpretation of “should 
know” within the proviso of the Article 23 will impact significantly on that of 
“to have no reasonable grounds to know” within the Article 22. 

As nowhere in the Regulation deals with this critical issue--the precise 
meaning of the term “know or should know” within the Article 23, we could 
only look outside the Regulation RCIN for understanding the knowledge stan- 
dard behind this term. The Judiciary Interpretation for Digital Copyright is 
undoubtedly a paramount source. 


3.2. Safe Harbour under the Judiciary Interpretation for Digital Copyright 


Judiciary Interpretation for Digital Copyright 2006 provides for another type 
of safe harbour for search engines. Article 4 thereof states that where an In- 
ternet provider of content service actually knows that a user infringes others’ 
copyright via internet, or upon receipt of a substantiated warning from a copy- 
right holder, does not remove infringing content or takes other effective meas- 
ures to eliminating the alleged infringement, the People’s courts shall, 
according to Article 130 of the General Principles of the Civil Law of P.R.C., 
hold the provider to joint liability with the user. This article is the same as Ar- 
ticle 5 of its predecessor, the Judiciary Interpretation for Digital Copyright 
2000. Although this provision does not cover search engines literally, a Re- 
sponse from the Supreme Court to Jining Intermediate Court in 2005 made it 
clear that this rule applies to search engines in combination with Article 4 of 
Judiciary Interpretation for Digital Copyright 2000(i.e., the Article 3 of the In- 
terpretation 2006). 

This safe harbor provision, however, is distinct from that of the Regu- 
lation RCIN in that it does not require the Notification Take-down procedure. 
It also differs from the DMCA §512(d) mainly because it provides the condi- 
tions for holding search engines for joint liability instead of defining the scope 
of a safe harbor. From the plain language, a search engine is not liable if a 
right holder cannot prove that he actually knew that the content linked in ques- 
tion was infringing or that he refused to remove the allegedly infringing con- 














84 


tent upon receipt of a substantiated warning from the right holder. It is also 
clear that a judge could not directly apply the Article 130 in the General Prin- 
ciples of the Civil Law without firstly citing this provision. In fact, this arti- 
cle attaches conditions to application of the Article 130 to search engines. 

Here, a copyright holder is not obligated to make a notification or warn- 
ing in order to enforce his rights. But if he does provide a search engine with 
a substantiated warning of infringing activities by a third party, they certainly 
obtain the upper hand over the search engine in prospective litigations. Of 
course, a “notification” satisfying the legal requirements as laid out in the Reg- 
ulation RCIN is a “substantiated warning”, but a “substantiated warning” may 
take other forms. The current Judiciary Interpretation for Digital Copyright 
resembles its predecessor, the Interpretation 2000, which came into being be- 
fore the Regulation RCIN and the Administrative Measures for Digital Copy- 
right. It is no surprise that there is no provision about the 
“Notification—Take-down—Counter-notification” procedure in the Judiciary 
Interpretations for Digital Copyright. It is possible and logical that what the In- 
terpretations mean by a “substantiated warning” is wider than a qualified no- 
tification. Obviously, a defective notification alone cannot be a “substantiated 
warning.” 

As it is widely believed that this piece of judiciary interpretation draws 
much on the DMCA, “actual knowledge” here should be interpreted by refer- 
ence to the “red flag” test underlying the DMCA §512(d). According to the 
“red flag” test, online editors and catalogers would not be required to make 
discriminating judgments about potential copyright infringement [°]. By this 
standard, “a service provider would have no obligation to seek out copyright 
infringement, but it would not qualify for the safe harbor if it had turned a blind 
eye to “red flags” of obvious infringement” [*]. But “the provider could not 
be expected, during the course of its brief cataloguing visit, to determine 
whether [the works] was still protected by copyright or was in the public do- 
main; if [the works] was still protected by copyright, whether the use was li- 
censed; and if the use was not licensed, whether it was permitted under the fair 
use doctrine” [°]. “Sophisticated ‘pirate’ directories, however, are excluded 
from the safe harbor. “Such pirate directories refer Internet users to sites that 
are obviously infringing because they typically use words such as ‘pirate,’ 
‘bootleg,’ or slang terms in their URLs and header information to make their 
illegal purpose obvious [°]”. . 

However, it is unclear here whether an unsubstantiated warning could 
serve as evidence to prove actual knowledge on the part of the provider. Ac- 
cording to DMCA512(c) (3) (B) (i), however, a notification fails to comply 
substantially with the elements of a notification shall not be considered in de- 


85 


termining whether a service provider has actual knowledge or is aware of facts 
or circumstances from which infringing activity is apparent. As Chinese law 
has never explicitly denied a defective warning (notification) as an admissible 
evidence, the court could accept it as evidence to prove “actual knowledge”. 
However, the probative value of such warning or notification depends largely 
on the extent to which the provider could derive actual knowledge from it. 

It is further unknown here whether a defective warning could bring about 
any obligation on the part of the recipient. According to DMCA 512(c) (3) 
(B) (i), where a complaining party has provided the requisite information con- 
cerning the identification of the copyrighted work and of the allegedly in- 
fringing material, and information sufficient for contacting the complaining 
party, the service provider is obligated to promptly attempt to contact him or 
take other reasonable steps to assist in the receipt of notification substantially 
compliant with DMCA. Otherwise, a defective notification communicated to 
the designated agent may be considered as evidence in evaluating the 
provider’s knowledge or awareness of facts and circumstances. In contrast, 
there is no similar provision in Chinese law that a defective notification or 
warning could bring about any duty on the part of the recipient. It seems that 
it makes no difference whatever action a provider takes in disposition of de- 
fective notifications or warnings. Nonetheless, he should keep records of de- 
fective notifications for at least 60 days according to the Administrative 
Measures for Digital Copyright for his own sake, as the Measures require that 
notifications from right holders be so kept, but without indicating how to treat 
defective ones. 

The knowledge standard of the “but-if” clause within Article 23 of the 
Regulation RCIN should be interpreted consistently with Article 4 of the Ju- 
diciary Interpretation for Digital Copyright 2006. Considering that the Judi- 
ciary Interpretation 2000 was revised in 2006 to adjust itself to the adoption of 
Regulation RCIN, the Interpretation 2006 should be regarded as consistent 
with the Regulation RCIN where they govern the same matter. Therefore, the 
term “know” of the proviso in the Article 23 should mean “actually know”, 
and the care of duty implied by “should know” of the proviso could only be 
found when the copyright holder had presented a substantiated warning. 


3.3. Safe Harbour under the Administrative Measures for Digital 
Copyright 


Unlike most countries in the world, China has put in place administrative reme- 
dies for copyright infringement. Correspondingly, there is also a safe harbor 
against administrative punishment. The Administrative Measures for Digital 
Copyright, issued in 2005, has a “Notification—Take-down—Counter- 


86 


notification” mechanism similar to that of Regulation RCIN. Article 11 of the 
Administrative Measures provides that “ where an internet service provider ac- 
tually knows that a content provider infringes others’ copyright via internet, 
or where he does not actually know the infringing activities, but he does not 
take action to remove related allegedly infringing content upon receipt of a no- 
tification from a copyright holder, and if public interest is harmed at the same 
time, copyright administration agency may issue a cease-and-desist order to 
the service provider, and order the following punishment: (1) confiscating in- 
come coming from infringement; (2) award a fine less than treble of his ille- 
gal revenue; where such revenue is difficult to be calculated, a fine less than 
100,000 RMB. Article 12 makes it further clear that when there is no proof of 
“actual knowledge”, or when the service provider takes down allegedly in- 
fringing content, he shall not be accountable for any administrative liability. 

This safe harbor is safer than the Regulation RCIN and the Judiciary In- 
terpretation for Digital Copyright indeed in that only where public interest is 
harmed should copyright administration agency intervene. Although deter- 
mining when public interest is harmed may be difficult except where the con- 
tent is regulated, this degree of governmental intervention is appropriate in that 
copyright as such is a bundle of private rights. Where a service provider is dis- 
satisfied with the decision made by a copyright administration agency, he could 
bring the case before the court against the agency. 

The Administrative Measures was issued jointly by the National Copy- 
right Administration and the Ministry of Information Industry, and thus could 
not bind the court according to the Chinese law system. The courts, however, 
could refer to the Measures where appropriate. In fact, the safe harbor is sim- 
ilar to the Judiciary Interpretation for Digital Copyright except for its empha- 
sis on the harm to public interest. With related provisions more in detail, the 
Administrative Measures could provide the courts with guidance. 


4. Apply the Safe Harbour Provisions to IFPI v. Yahoo! China 
4.1. IFPI v. Yahoo! China 


The International Federation of the Phonographic Industry (IFPI) represents 
the recording industry worldwide with some 1450 members in 75 countries 
and affiliated industry associations in 49 countries. Yahoo! China is a direc- 
tory like Yahoo! The music industry association accused Yahoo! China of pro- 
viding links to pirated musical material. On April 10 and July 4, 2006, IFPI 
sent two communications to Yahoo! China, requesting it to delete all links to 
the Websites that contain downloadable, copyrighted songs without permis- 
sion from the record companies. The IFPI ‘communications provided infor- 
mation regarding the internet address of the Plaintiff’s sound recordings and the 


87 


names of the albums and singers of the songs in question, along with 33 spe- 
cific Uniform Resource Locators (URL) as examples for each of the 33 songs 
at issue. Yahoo! China took down only the 33 specific URLs. 

Dissatisfied with Yahoo! China’s inaction, IFPI brought the case before 
the Beijing Second Intermediate People's Court in January 2007. The cases 
were brought on behalf of EMI Group Hong Kong Limited, EMI Records Lim- 
ited, EMI Taiwan Limited, Go East Limited, Mercury Records Limited, Sony 
BMG Music Entertainment (Taiwan) Limited, Sony BMG Music Entertain- 
ment , Universal International Music B.V, Universal Music Limited, Warner 
Music Hong Kong Limited and WEA International Inc. IFPI filed 11 separate 
claims for an injunction and damages. 

The court held that the Defendant acquired information both about the 
Plaintiff’ copyrights and the allegedly infringing songs upon receipt of the No- 
tice and that the music search service had links to content infringing the Plain- 
tiff’s copyright. Because Yahoo! China took down only the specific 33URLs 
and was inactive in performing its obligation to delete other links related to 
content infringing the songs in question, it condoned infringement. Therefore, 
the court concluded, Yahoo! China was at fault, constituting aiding other per- 
son in infringing activities through Internet, and thus was liable correspond- 
ingly. The court cited Article 23 of the Regulation RCIN, the Chinese safe 
harbour for search engines. 

This case is under appeal. Undoubtedly, if this case is upheld, the rule 
underlying this case will have far-reaching effect on the Internet and will not 
be limited to search engines. Chinese search engines would become the most 
overzealous engines of the world in disabling or removing content, not only 
with respect to music works, but also to other types of works, e.g., literary 
works, graphic works, audio-video works. Copyright holders would gener- 
ously send defective notifications across the cyberspace containing only in- 
formation about copyrighted works and copyright holders’ names, with or 
without specific URLs as examples, requesting boldly that all storage of and 
links to content potentially infringing the claimed works be removed and dis- 
abled. Upon receipt of such notification, according to the judgment in the 
Yahoo! China case, the service providers should know that infringing activities 
exist. He could do nothing but act expeditiously as requested in order to avoid 
full liability for infringement. Service providers of information society will 
be crippled by the laborious compliance requirement. This will be contrary to 
the intent of Article 23 and will make the safe harbors provision useless. 


4.2. Applying the Safe Harbour Provisions 
It is perplexing that the court in the IFPI v. Yahoo! China case cited Article 23 


88 


of the Regulation RCIN, which is a safe harbor provision requiring “Notifica- 
tion—Take-down” procedure. Apart from the specific URLs provided, the 
communication received by Yahoo! China does not constitute a “notification’ 
for the purpose of the Regulation. Should such communication be a qualified 
notification, the court would have arrived directly at the conclusion that Yahoo! 
China shall be liable because of its inaction. In spite of the defectiveness of the 
notification, the court found IFPI v. Yahoo! China liable and the consequence 
of this decision is to corrupt the “Notification—Take-down” mechanism. Ifa 
defective notification could usurp a qualified one, defective notifications will 
soon flood the system and cripple the service providers. The only task of the 
Copyright holders’ here is sending copyright management information, but the 
service providers’ have the responsibility of taking down all potentially in- 
fringing content and shoulder all the possible erroneous taking-down alone. It 
is possible that a defective notification does not constitute misrepresentation to 
which the sender of a notification shall be responsible. In fact, this approach 
risks forcing service providers to serve as copyright holders’ gatekeepers, free 
of charge and at their own risk. 

Even if the court was right to disregard the requirement of a qualified no- 
tification in applying Article 23, it could not rely on the “should know” word- 
ing within the “but-if” clause as safe grounds to hold the search engine liable. 
The knowledge standard of “should know” is subject to strict interpretation, 
different from ordinary meaning in the context of civil law. Nevertheless, the 
court disregarded the fact that the proviso creates an exception, which should 
be interpreted strictly. So easily did the court hold that one piece of informa- 
tion concerning copyrighted works in question and the names of the singers are 
sufficient to bring about a duty of reasonable care for the sender’s digital copy- 
right. With the same ease, it arrived at the conclusion that Yahoo! China, who 
should have known that its music search service had links to content infring- 
ing the Plaintiffs copyright, is liable. In so doing, the court in effect imposed 
a general obligation to monitor the service, a dangerous forward step risking 
judiciary prudence. It seems that only when a search engine is certain that his 
search service is free of links to all potentially infringing content could it in- 
voke limitation on liability. So harsh is this obligation! 

It is even more perplexing that the court did not apply the Article 3 in 
combination with Article 4 of the Judiciary Interpretation for Digital Copyright 
2006. After deciding that Yahoo! China should have known that his music 
search service had links to content infringing the Plaintiff’s copyright, the court 
held that Yahoo! China had aided in infringing activities and should be liable 
correspondingly, citing only Article 3. Article 4 intends that only where a 
search engine actually know or takes no action upon receipt of a substantiated 


89 


warning from a right holder should he be held liable. It does not matter whether 
the search engines should or should not know. Even if Yahoo! China should 
have known that his music search service had links to content infringing the 
Plaintiff’s copyright and thus should be liable according to the Article 130 of 
the General Principles of the Civil Law, the court shall apply the Article 4, 
which supersedes the Article 130 with regard to search engines, as discussed 
before. 

In view of the fact that the Plaintiff had not provided a substantiated 
warning, the court should have evaluated whether Yahoo! China actually knew 
that the content linked in question was infringing. It is clear that without ex- 
ercising discriminating judgment and effort to seek out infringement, Yahoo! 
China could not possibly acquire actual knowledge that any third party was 
infringing the Plaintiff’s copyright by merely relying on the names of the songs 
in question and the singers thereof provided by the Plaintiff. Additional evi- 
dence is required to prove that Yahoo! China possessed “actual knowledge”. 
As the court did not characterize Yahoo! China’s music directory as a “pirate 
directory”, the Plaintiff should submit further evidence to prove that there was 
a “red flag” to which Yahoo! China could not have turned a blind eye. 

It was argued that Yahoo! China derived its advertising revenue from 
links to infringing content and thus should be liable. This is not a worthy legal 
argument. There is no proof that Yahoo! China had received a financial ben- 
efit directly attributable to the infringing activity and that it had the right and 
ability to control such activity. Furthermore, nowhere in the current Chinese 
law could you find a provision that a search engine should be liable for copy- 
right infringement merely because his advertising revenue comes in part from 
links to potentially infringing content. Even if a search engine should be cul- 
pable when he generally knows that his search service might provide links to 
infringing content, the Plaintiff is only entitled to remedy for the contribution 
of his copyrighted works to Yahoo! China’s advertising revenue that is attrib- 
utable to the links to the content infringing the Plaintiff’s copyright. Unfortu- 
nately, the judgment does not show that the Plaintiff made an effort to establish 
such contribution. 

Some academic criticize that the operation of the Article 4 of the Judi- 
ciary Interpretation 2006 could not secure reasonable protection for copyright 
holders and advocates that the court was right in applying the Article 23 to 
IFPI v. Yahoo! China. The same academic also argues that IFPI v. Yahoo! 
China must not apply to Web Search, Image Search, News Search (etc), where 
fair use of the works concerned is everywhere. 

I disagree with this view. Even if the Article 4 is ambiguous, it is still the 
governing rule of law. Article 23, as discussed before, is not a provision to lax 


90 


the Article 4 of the Interpretation. Though I sympathize with the copyright 
holders’ situation of enforcing their rights in the digital environment, I am con- 
vinced that legal certainty prevails over academic aspiration. Moreover, it is 
my understanding that musical works should be protected equally with other 
types of works except as otherwise provided by the law. Fair use privilege of 
music works should be preserved online too. In fact, music works could also 
be used for news reporting, criticism, parody, and so on. If there is any weak- 
ness within the current Chinese law in respect of digital copyright protection, 
it should be left to future judiciary interpretation or legislative effort. 


5. Conclusion 


Chinese safe harbor provisions are interweaved with Chinese civil law rules 
with regard to copyright infringement. With different safe harbor provisions 
belonging to different legal instruments, careful interpretation is required to 
preserve legal certainty. The Regulation RCIN should have provided a more 
circumspect safe harbor for search engines. But in view of the judgment in 
IFPI v. Yahoo! China, the wording “should know” within the proviso of the 
Article 23 is susceptible to be misinterpreted as lowering the threshold for hold- 
ing search engines to joint liability. Conceivably, the safe harbor provision for 
service provider of information storage is likely to suffer the same way. In 
short, the water in the safe harbors is muddied by JFPI v. Yahoo! China. The 
Appellate court should correct the misapplication of the law in the Yahoo! 
China case. In addition, future judiciary interpretation or legislative effort, 
however, is needed to cure existing weakness in respect of digital copyright. 


Notes 


[1] IFPI brought the lawsuit against Yahoo! China on behalf of local and international record 
companies in January 2007, i.e., EMI Group Hong Kong Limited, EMI Records Limited, 
EMI Taiwan Limited, Go East Limited, Mercury Records Limited, Sony BMG Music En- 
tertainment (Taiwan) Limited, Sony BMG Music Entertainment, Universal International 
Music B.V, Universal Music Limited, Warner Music Hong Kong Limited and WEA Inter- 
national Inc. 


[2] Regulation RCIN, Article 22: A service provider of information storage for a client to 
make available to the public works, performances, sounding/video recordings is not liable 
for monetary relief provided that he : (1) clearly indicate that the space is provided to client 
for storage, and the name, contact person and URL of the provider; (2) make no change to 
the works, performances, sounding/video recordings supplied by the client; (3) does not 
know or have no reasonable grounds to know that the works, performances, sounding/video 
recordings supplied are infringing; (4) does not receive a financial benefit directly attrib- 
utable to the works, performances, sounding/video recordings supplied; (5) upon receipt of 
a notification from a right holder, delete the alleged infringing works, performances, sound- 
ing/video recordings according to this Regulation. (author's translation, only for reference) 


91 


[3] See, Senate Report on the Digital Millennium Copyright Act of 19980Report 105— 
1900105th CongressO2d Session, p49, available at< http://digital-law- 
online.info/Ipdil .0/misc/SRep105-190.pdf> 


[4] See, ibid, p48 
[5] See, ibid 
[6] See, ibid 


























Reference 











Senate Report on the Digital Millennium Copyright Act of 1998 Report 105—1900105th 
Congress(12d Session, available at< hitp://digital-law-online.info/Ipdi1.0/mise/SRep105- 


190.pdf> 




















92 


THE IDEA - EXPRESSION DICHOTOMY: 
INDIANIZING AN INTERNATIONAL DEBATE 


K.P. Abinava Sankar 


Student of Law, 3™ year, B.A.B.L(Hons) 
NALSAR University of Law, 
Justice City, Shameerpet, Hyderabad, India 500 078 


kp_abinav@yahoo.com. 


Nikhil L.R. Chary 
Student of Law, 3” year, B.A.B.L(Hons) 
NALSAR University of Law, 
Justice City, Shameerpet, Hyderabad, India 500 078 
nikhil.chary@gmail.com. 


Abstract. The idea-expression dichotomy was originally formu- 
lated to ensure that the manifestation of an idea is protected rather than 
the idea itself. Created with the intention of stimulating creativity while 
at the same time ensuring that such creativity is protected, this concept 
has come a long way since it was first formulated. However, in devel- 
oping countries like India, this concept has not yet attained the levels of 
abstraction that is desirable and there has been little application of this 
concept in the Indian context. However this position can be expected to 
change and it is high time the Indian position on this concept is firmly 
established. 


1. Introduction 


The principle ‘the law must keep up with human development and progress’ is 
quite a clichéd one. But it can hardly be described thus, if one were to con- 
sider the growing relevance of software and technology in modern times. How- 
ever on a practical scale, this evolution of the law is often fraught with 
difficulties given its reliance on principles and practices that have since time 
immemorial become its essence. So the question that we must consider here is 
how one needs to go about reconciling these governing standards of the law 
with the growing need for its evolution so that it is possible for one to encom- 
pass computer software protection into the law. It is in this context that this di- 
chotomy between idea and expression has arisen. Thus, if one seeks to 
understand the problems that we are facing with current copyright law and its 
application to computer software protection, one must first understand the na- 
ture of the afore-mentioned dichotomy between ideas and expression. The es- 
sential difference between the two has been classified as the foundation upon 
which copyright law rests. 


93 


Courts have traditionally declined to put forth a straitjacket definition for 
the term idea. An idea has been described as a thought, as a mental image, as 
a conception of a theory. In layman terms, an idea can thus be described as a 
formulation of thought on a particular subject while expression would consti- 
tute implementing the said idea. Needless to state, the same idea can have nu- 
merous expressions and this is where the issue of copyright arises. If the same 
idea can be expressed in a number of different ways, a number of different 
copyrights may co-exist and no infringement will result. However, one is faced 
with a problem when it becomes difficult to delineate between the idea and its 
expression. Herein lies the idea of merger where an idea and the expression 
cannot be separated and they are said to have merged. When merger has oc- 
curred, the expression may not be copyrighted, because to do so would in ef- 
fect be copyrighting the idea. However an oft quoted policy concern of this 
doctrine is that, when the idea and its expression are thus inseparable, protect- 
ing the expression in such circumstances would confer a monopoly of the idea 
upon the copyright owner. At the same time, an idea can also have certain ex- 
pressions, without which the idea cannot exist. In other words, there can exist 
an idea where changing the expression of the same in a particular form would, 
in effect change the very idea itself. Most courts consider these essential ideas 
not copyrightable, as to copyright them would also, in effect, copyright the 
idea. This type of merger is sometimes called scenes a faire. Another example 
of merger is when there are only a very few ways to express a given idea. This 
is called the ‘Idea-expression identity’ exception when specific instructions, 
even though previously copyrighted, are the only and essential means of ac- 
complishing a given task, their later use by another will not amount to an in- 
fringement. [1] Although the idea/expression dichotomy is such a 
time-honoured doctrine, it has long been subject to fierce criticisms for its fail- 
ure to provide practical guidelines underneath its metaphysical surface. The 
intricacy lies in the fact that very few, if any, works contain exclusively either 
ideas or expressions. Indeed, almost any work can be abstracted into a spectrum 
of various levels of generality, at one extreme of which is the principal goal or 
theme of the work and the other extreme is the literary expression. 


2. The Law in the United States of America 


2.1 Origins 


American copyright literature has usually traced the origin of this dichotomy 
between idea and expression back to the seminal case of Baker v. Selden. [2] 
In this case, the plaintiff owned copyright in a series of books that explained a 
bookkeeping system annexed with certain forms consisting of ruled lines and 


94 


headings, illustrating this system. The defendant was accused of copyright in- 
fringement, because it made and used account books arranged on substantially 
the same system, employing forms with slightly different columns and head- 
ings. In ruling in favour of the defendant, the Supreme Court held that there is 
a clear distinction between the books, as such, and the art, which they intended 
to illustrate. The description of the art in a book (the expression in the instant 
case), though entitled to the benefit of copyright, lays no foundation for an ex- 
clusive claim to the art (the idea) itself. [3] 


2.2 Principles of the idea/expression dichotomy in Computer Software 
under U.S Law: - 


The afore-mentioned principle that governs the idea-expression dichotomy in 
the United States has since been incorporated into the software field as well. 
Copyright grants the author of a computer program the exclusive right to re- 
produce copies, prepare derivative works, distribute copies, and perform and 
display the copyrighted work for the period of his life plus fifty years. [4] These 
exclusive rights are limited in several important ways however. The purchaser 
of a copy of a copyrighted computer program may make an archival copy of 
the program or adapt the program to his own specific needs, if he does so solely 
for his own use. In addition, the computer program may be used for teaching, 
research, or scholarship without constituting infringement under the fair use 
doctrine. As a final limitation, the statutory scheme embodies the common- 
law limitation that ideas as such are not protected. The Act gives a statutory def- 
inition of the idea/expression dichotomy: 


“In no case does copyright protection for an original work of author- 
ship extend to any idea, procedure, process, system, method of opera- 
tion, concept, principle, or discovery, regardless of the form in which 
it is described, explained, illustrated, or embodied in such work.”[5] 


In spite of such a provision this dichotomy has remained unsolved. 
Through an analysis of case law it becomes apparent that the purpose of this 
statutory definition is merely to restate, in the context of the new single Fed- 
eral system of copyright, that the basic dichotomy between expression and idea 
remains unchanged. Thus, the resolution of the most crucial and most elusive 
question concerning the scope of copyright protection afforded to all works of 
authorship is solely a matter of judicial discretion. 

In the 1980s the National Commission on New Technological Uses of 
Copyrighted Works (CONTU), created by the Congress to study the applica- 
tion of intellectual property law to computer software, came out with a final re- 
port that set forth four goals for copyright in computer programs, which reflect 


95 


the traditional attempt to balance protection and competition: 


1. Copyright should proscribe the unauthorized copying of these works. 
2. Copyright should in no way inhibit the rightful use of these works. 
3. Copyright should not block the development and dissemination of 
these works. 
4. Copyright should not grant anyone more economic power than is nec- 
essary to achieve the incentive to create. [6] 


Although accosted with severe criticism, this explicit recognition of 
computer programs as literary works under the Act settled the initial question 
of protection ability, but left the courts to resolve the scope of protection under 
the Act. In their attempts to be practical, however, courts have erected a frame- 
work that protects the time, effort, and money involved in the production of 
copyrighted material to the exclusion of all else. Thus it is helpful to examine 
how the courts have filled in the present outline of copyright protection of com- 
puter programs. Decisional and statutory laws make it abundantly clear that 
computer programs expressed in source code can be protected as literary 
works.[7] Courts further have held that computer programs expressed in a 
higher-level language meet the statutory requirements of originality and fixa- 
tion. The afore-mentioned defence that limited copyright to works designed to 
be read by lay individuals rather than by machines or experts, [8] was rejected 
by Courts in a line of cases, the most notable being Apple Computer, Inc. v. 
Franklin Computer Corp. which stated that copyright protection could also be 
extended to the object code version of a computer program embedded in a 
ROM. The afore-mentioned decisions are representative of the Court’s efforts 
to protect the object code of the software within the definition of a ‘literary 
work’ under the Copyrights Act, 1976. This is because the mechanical process 
of coding from source code to object code has been held to be a product of suf- 
ficient mental labour to merit protection, the imprinting of which constitutes 
‘fixation’. 

Similarly the 3" Circuit Court rejected a claim by the infringers that 
sought to differentiate ‘operating systems’ from other computer programs, 
holding that such a distinction could not be made within the statutory defini- 
tion of a ‘computer program’ as operating systems were also responsible for fa- 
cilitating a computer’s interaction with an application apart from managing its 
internal functions. Thus the instructions that constituted the operating program 
were held to be subject to copyright. 

In so far as the application of copyright laws to software, more specifi- 
cally, computer programs, is concerned, American courts have traditionally 
distinguished between idea and expression with reference to the end sought to 
be achieved by the program in question. In this regard, American courts have 


96 


generally construed that the manner in which a program operates, controls and 
regulates the computer in receiving, assembling, calculating, retaining, corre- 
lating, and producing useful information either on a screen, print-out or by 
audio communication would constitute the expression of the idea. The idea on 
the other hand would be constituted by the purpose for which the program was 
created. Consider for instance a program that was constructed by one company 
and sold to another for the purpose of effectively managing a laboratory by 
simplifying data management of chemicals in medium sized business com- 
puters. The second company however through their own efforts makes the pro- 
gram compatible with personal computers as well. Going by the decision of the 
U.S courts, the idea behind the program would be the efficient management of 
the laboratory and thus, only by applying the principle, this idea could be used 
by software developers from the second company. Thus in this instance, mod- 
ifying the program to make it compatible with personal computers would 
amount to tampering with the expression of the idea by the first company and 
would amount to a violation of copyright. 


2.3 Case Laws Concerning the Idea-Expression Dichotomy: 


This principle followed in the United States has elicited a mixed response from 
courts and academics. As the courts have attempted to diversify the concept of 
an idea under copyright law, several authors have criticized the underlying as- 
sumption that a computer program has only one underlying idea, which is 
equated to the end goal or motive sought to be achieved by the designers. Once 
this idea has been identified, it must be separated from everything else, which 
is then classified as expression. The criticism takes into consideration the fact 
that the composition of a computer program involves many sub-processes/pro- 
grams, which work in unison to generate the ultimate goal. It is stated that such 
sub-programs may involve ideas or goals of their own which may be entirely 
different from the overall idea intended by the designers thereby rendering the 
court’s classification inadequate. 

This principle was however somewhat widened in the case of Computer 
Associates International Inc. v. Altai Inc where the plaintiff, Computer Asso- 
ciates International (CAI) brought an action alleging that the defendant Altai, 
Inc. had utilised substantial portions of Computer Associates’ program while 
developing Altai's own computer software programs. In deciding whether the 
defendant Altai was liable for copyright infringement in developing his pro- 
gram and misappropriating the trade secrets of the plaintiff, the U.S Circuit 
court relied upon a three-step test called the abstraction, filtration and com- 
parison test to determine the scope of the idea/expression dichotomy in the 
case. The procedure involved was to break down the allegedly infringed pro- 


97 





gram into its constituent structural parts and examine each of these parts for 
such things as incorporated ideas, expression that is necessarily incidental to 
those ideas, and elements that are taken from the public domain, thereby sift- 
ing out all non-protectable material. The main aim of this was to draw on fa- 
miliar copyright doctrines as merger, scenes a faire, and public domain and as 
a result giving due cognizance to the fact that computer technology is a dy- 
namic field which can quickly outpace judicial decision-making. [9] 


Step 1: Abstraction 

Abstractions constitute the first step to determine substantial similarity. Ini- 
tially, a court should dismantle the allegedly copied program’s structure and 
isolate each level of abstraction contained within it. This process begins with 
the code and ends with an explanation of the program’s ultimate function. 
Along the way, it is necessary essentially to retrace and map each of the de- 
signer’s steps-in the opposite order in which they were taken during the pro- 
gram’s creation. At a higher level of abstraction, the instructions in the 
lowest-level modules may be replaced conceptually by the functions of those 
modules. At progressively higher levels of abstraction, the functions of higher- 
level modules conceptually replace the implementations of those modules in 
terms of lower-level modules and instructions, until only the ultimate function 
of the program is left. A program has structure at every level of abstraction at 
which it is viewed. At low levels of abstraction, a program’s structure may be 
quite complex; at the highest level it is trivial. 


Step 2: Filtration 

Filtration commences after abstraction and examines the structural components 
at each level of abstraction to determine whether their particular inclusion at 
that level was necessarily incidental to an idea. These are called considerations 
of efficiency and functions on the principle that the more efficient a set of mod- 
ules is, the more closely they approximate the idea or process embodied in that 
particular aspect of the program’s structure. If two programs have the same ef- 
ficiency components, no copyright persists for either program. Furthermore, 
filtration also determines whether they are required by factors external to the 
program itself such as computer specifications, program compatibility, design 
standards set by manufacturers and demands of the industry etc. Programs, 
which are similar on account of such procedure, would be denied copyrights 
and whether they are taken from the public domain and hence constitute non- 
protectable expressions, thus determining the scope of plaintiff’s copyright. 


98 


Step 3: Comparison 

After the first two steps for the test for substantial similarity are completed and 
all elements of the allegedly infringed program, which are ideas or are dictated 
by efficiency or external factors, or taken from the public domain, have been 
sifted out, what would remain would essentially constitute the copyrightable 
part of the computer program. 


The Altai judgment as regards the diversification of the idea/expression 
dichotomy has been held to be good law as far as the United States is con- 
cerned. The court gave a detailed description of a process, which could possi- 
bly be most accurate while imposing a partition between the idea and an 
expression in a particular work. Subsequently, the First Circuit Court came up 
with a decision in the case of Lotus Development Corporation v. Borland In- 
ternational Inc.[10] which stated that a method of operation, as defined under 
17 U.S.C. S 102(b), is a means by which a person operates something, whether 
it is a car, a food processor, or a computer, and is un-copyrightable. Computer 
programs using a method of operation cannot operate without a specific com- 
mand. The court reasoned that while identifying the non-literal elements of a 
computer program, one must first identify whether such elements fall under 
the criteria of a method of operation. If such non-literal elements constitute a 
method of operation, they are un-copyrightable under section 17 U.S.C. S 
102(b) and therefore, an idea/expression dichotomy analysis need not be per- 
formed. The Court in the Lotus case acknowledged that the abstraction, filtra- 
tion and comparison test was an effective means of identifying copyrightable 
elements in a computer program, but was ineffective in resolving an issue 
where factual copying of the program was admitted by a contesting party. The 
decision in the Altai case was read along with the decision of the Federal 
Supreme Court in Feist Publications, Inc. v. Rural Telephone. Service. Co. [11] 
stating that, only original expressions of authors would be given copyright pro- 
tection and that authors were encouraged to freely build on ideas and infor- 
mation conveyed by a work. [12] Recently, the U.S take on the Idea-Expression 
dichotomy has been partly rejected by courts in the United Kingdom. Deci- 
sions of the Chancery Division have outlined a slightly modified version of 
the dichotomy. This will be dealt with in the chapters to follow. 


3. The Law in the United Kingdom 


The Law is divided into two stages — (i) Before 1911 and (ii) After 1911 when 
the Copyrights Act was passed. Before 1911, Courts adopted the principle that 
an idea is not subject to copyright protection and that it is only the expressed 
form of such idea that is subject to such protection. Case law indicates the rea- 


99 


soning adopted by English Courts. [13] The task of the Court is to apply the 
contents of the Act while determining a violation of a copyright and the Act 
does not mention or take into account the existence of an idea/expression di- 
chotomy. [14] The Act stipulates the content that is protected as an original 
work and that such work may be infringed by the taking of a substantial part. 
Thus in dealing with the question of copying, the principle is well established 
that there is no copyright in mere ideas, concepts, schemes, systems or meth- 
ods. [15] Therefore the scope of copyright is limited to the protection of a par- 
ticular form of expression of conveyance. If such copying persists, the 
copyright is infringed. [16] Therefore it is submitted that a defendant is not li- 
able if he has adopted the idea and has made use of it in such a way desired by 
him, howsoever original it may be. Examples in this regard would be the ab- 
sence of infringement of the copyright in a literary, dramatic or artistic work 
by adopting the basic idea underlying such work. [17] Thus far, the principle 
of idea/expression dichotomy would appear to be identical to that of United 
States law, but there is a subtle difference in the manner by which UK Courts 
have diversified the concept. 

After 1911, Courts have declared that ideas, thoughts and plans existing 
in a man’s brain are not ‘works’ as defined by the Copyright Act. [18] But once 
reduced into writing or other material, such ideas through their material form, 
may be susceptible to copyright protection. Given the existence of a good co- 
pyright in a work, a general idea underlying such copyright is not subject to 
protection. However a more detailed proposition or a collection of ideas, pat- 
tern of incidents, or a compilation of information from the original docu- 
ment/material form may amount to be a substantial portion of such work, the 
adoption of which may constitute a copyright violation. There exists a sub- 
stantial body of modern case law indicating that even an expression of an idea 
itself does not remain unprotected. Similarly case law indicates that even sole 
and inseparable methods of expression can be subject to copyright. 

Copyright law for Computer Programs in the United Kingdom is no lon- 
ger confined to the rules imposed by the Copyrights, Patents and Designs Act, 
1988. After 1991 there are three legislations, which are consulted simultane- 
ously to derive the rules and regulations governing copyright of computer pro- 
grams in the U.K. They are, The Copyrights, Patents and Designs Act, 1988, 
the European Council directive of 14 May 1991 on the Legal Protection of 
Computer Programs, and the Copyright (Computer Programs) Regulations, 
1992. The 1992 Regulations were enacted for the purpose of implementing the 
1991 Directive into the 1988 Act, as the provisions of the directive are not self- 
executing. Furthermore, United Kingdom, being a dualist nation makes it man- 
datory for the Parliament to enact legislation in order to recognize implement 


100 


an international convention as applicable law. Therefore all three legislations 
are read together and applied by Courts to factual situations. Computer pro- 
grams are read as original literary works by the 1988 Act under section 3(1). 

Thus, Courts have determined the correct procedure that is followed 
while deciding cases involving the idea/expression dichotomy. Although a ge- 
neral idea cannot be copyrighted, instances where the labour involved in 
expressing such an idea in detail in the form of drawings, writing etc have been 
adopted, are held to be cases of copyright infringement. Such cases involve 
the copying of the detailed expression of the idea and not the idea itself. [19] 
The originality that is required, and through it the protection conferred are re- 
lated directly to the expression of thought involved in creating the work. This 
principle has been applied and affirmed by a plethora of decisions that have ap- 
plied it specifically in relation to the facts involved. [20] 


3.1 Case Laws in the United Kingdom Concerning the Idea-Expression Di- 
chotomy 


The principle applied by the Court Jbcos Computers Ltd v. Barclays Finance 
Ltd is an ideal example of the variance between the law applied in the UK and 
the USA. The case concerned an issue of Copyright violation alleging that the 
impugned program was identical to the original program as they were both de- 
veloped and written by the Same Developer in spite of an undertaking taken by 
the developer not to design or sell similar software upon his resignation from 
the appellant’s company. 

The Court in Ibcos proposed to examine the case by determining logi- 
cally the claim in copyright calls to be tested. For this purpose the Court had 
to consider whether the software in question contained the element of origina- 
lity. While considering the idea/expression dichotomy issue that arose in con- 
nection with the whole package being a copyright compilation (i.e. the question 
of originality), the Court disagreed with a former ruling which held that an 
only method of expressing an idea is not the subject of copyright. The Court 
stated that it was of course true that a copyright cannot protect any sort of ge- 
neral principle, but it can protect a detailed literary or artistic expression. The 
Court cited the case of British Leyland v. Armstrong [21] where in the case of 
an exhaust pipe it was said that the copyright was protecting the engineering 
principles which went into its design apart from the existing copyrights in the 
drawing and that a copy of the drawing via the medium of an exhaust pipe 
made from it amounted to an infringement of such copyright. This was so even 
though there was also a copying of the engineering principles that went into the 
original design. 

The Court said that where an idea was sufficiently general, then even if 


101 


an original work embodied it, the mere taking of that idea would not infringe 
a copyright. But if the idea were to be detailed, then there is a possibility of in- 
fringement, the determination of which remained a question of degree. This 
principle applied whether the work was functional or not, and whether visual 
or literary. Citing an example of a literary work the Court stated that the taking 
of a plot (the idea) of a novel or play could certainly infringe a copyright if 
that plot was a substantial part of the work. The Court acknowledged the sta- 
tement of Judge Learned Hand who said that nobody has ever been able to fix 
a boundary between idea and expression and that the task is a difficult one. 
[22] However that Court did not ignore the utility of the idea/expression di- 
chotomy and its application in the United States, stating that if the defendant 
has merely copied a general idea then it is immaterial whether there is copyri- 
ght in the plaintiff's work. Thus the Court stated that the principle of law ap- 
plied in the United States was different to that applied in the United Kingdom 
and this difference was particularly visible in relation to copyright works con- 
cerned with functionality and of compilations. Thus, the Court found it appro- 
priate to examine the structure of the computer program as a whole in light of 
it being a copyright work in addition to the literal bits of code and the program 
structure within the program. The Court stated that as the component programs 
and structure are individually subject to copyright as sufficient skill, effort and 
judgement went into their design. 

The ruling in Ibcos turned out to be a landmark judgement under Uni- 
ted Kingdom Copyright law. Not only did the Court classify and explain in a 
lucid manner, the extent of applicability of the idea/expression dichotomy in 
U.K. law, it also contradicted and set right a number of judicial decisions (pre- 
dominantly citing United States law as an example) which proposed theories 
contrary to the Courts ruling in the present case. [23] This judgement was cited 
in the case of Navitaire Inc. v. Easyjet Airline Company. The case was a claim 
for the violation of a copyright in a computer program by alleging that the De- 
fendant’s online ticketing program was indistinguishable from the Plaintiff’s, 
in respect of its user interface. The Plaintiffs also claimed that that the copyri- 
ght in their program had been infringed by, among other things, non textual 
copying. They submitted that (1) each of the commands was a copyright work 
in its own right, or, alternatively, each of the complex commands was a work 
in its own right; (2) the collection of commands as a whole was entitled to co- 
pyright as a compilation; (3) in respect of certain screen displays, the template 
was a copyright work for each display; (4) presentations of the data in the da- 
tabase, so called reports, had been copied by the defendants and (5) there was 
non textual copying of the whole of the source code, which was strictly ana- 
logous to taking the plot of a book. [24] 


102 


The Court determined that the issue addressing the idea-expression di- 
chotomy was the ‘compilation’ of the collection of commands that went into 
creating the program and the issue concerning ‘non-textual copying’. The Court 
stated that such a compilation would be entitled to copyright and cited case 
law substantiating the same. The Court drew a distinction between the provi- 
sions of Kalamazoo (Aust.) Pty v. Compact Business Systems Lid [25] and 
Baker v. Selden. [26] The former stated that a collection of accounting forms 
formed a compilation and each collection or group of forms, designed to be 
used with each other, was entitled to protection as a compilation of the consti- 
tuent forms even though the constituent forms were not wholly literary whe- 
reas in Baker, the Court held that a collection of blank forms were not subject 
to copyright. At this juncture the Court in the instant case pointed out the es- 
sential difference between U.S and English law on the matter which rendered 
Baker inapplicable in this case. Although the Court subsequently concluded 
that the collection of commands in the program was not to be granted copyri- 
ght on the basis of it being a compilation as there was no pre-existing material 
to form the subject matter of a compilation, and no compiler in the case at 
hand, due regard was paid to the distinction in law. 

The issue concerning ‘non-textual copying’ was one wherein the cla- 
imant was alleging an appropriation of the end result and business logic (ove- 
rall functionality, from a business perspective) of the software. Therefore the 
issue of idea/expression cropped up because in order to arrive at a finding of 
infringement, something that is not merely inherent in the nature of the busi- 
ness function to be performed by the software must be taken by the defendants. 
This may not only represent the skill and labour of the designers and pro- 
grammers but go wider than the details of the command set and the screen di- 
splays. In this regard the Court held that every element in the expression of an 
artistic work (unless it got there by accident or compulsion) constituted the 
expression of an idea on the part of the author. It was further held that, the 
expression of such ideas was protected as a whole and also to the extent to 
which they form a substantial part of the work. The phrase ‘substantial part’ is 
indicative of a qualitative analysis of the work rather than a quantitative ana- 
lysis. As a result, the part which is regarded as substantial can be a feature or 
combination of features of the work, abstracted from it rather than forming a 
discrete part. The Court cited the example of how the original elements in the 
plot of a play or novel may be a substantial part, so that copyright may be in- 
fringed by a work which does not reproduce a single sentence of the original. 

Thus, where certain ideas expressed by a copyright work are not origi- 
nal, they are not entitled to copyright protection as the borrowing of such idea 
would not constitute the taking of a substantial part of the work (thus varying 


103 


from the U.S position). Furthermore, the skill and labour that is appropriated 
must be relevant to the cause. A mere envisaging of an idea similar to the ob- 
ject sought to be achieved by the computer program, does not amount to the ap- 
propriation of the skill and labour necessary to constitute infringement. 
Therefore, in spite of the fact that the claim for non-textual copyright failed, 
due regard was given to the distinction between U.S and U.K law as regards 
the idea/expression dichotomy without prejudice to the utility of either sys- 
tem. 


4. The Law in India 


The law concerning copyrights in India has been substantively dealt with under 
the Copyrights Act 1957. Section 16 of the said Act clearly states that a person 
shall not be entitled to any form of copyright otherwise than a right in accor- 
dance with the provisions of this Act or any other law for the time being in 
force. Section 13 of the Act defines the scope of existence of copyrights by 
stating exactly for what a copyright is available while Section 14 defines the 
meaning of a copyright. Section 44 provides for the registration of copyrights 
with the registrar of copyrights in India though there is no provision that makes 
registration compulsory. The Act also deals extensively with what exactly 
amounts to a breach of copyright in Section 51 and has defined a computer 
program to come within the ambit of a literary work. Though the Act may seem 
exhaustive, the Act fails to define either an idea or an expression and any dif- 
ference in the treatment of the two while there has also been a relative dearth 
of case-law concerning the idea-expression dichotomy. 

In R.G.Anand v. Deluxe Films, [27] which is the only Supreme Court 
decision concerning the issue of the dichotomy between idea and expression, 
a careful reading of the judgement given by a three-judge bench shows an in- 
clination to the American law because they do not even consider a contingency 
where it is impossible to delineate between an idea and its expression. Then 
again, one cannot really say that the Supreme Court has preferred the Ameri- 
can approach to the English one for the simple reason that it appears the Su- 
preme Court has failed to appreciate the fact that English and American laws 
are different. In this case, the plaintiff who was a part-time playwright and pro- 
ducer of stage plays alleged that the defendant, who was a film-maker had co- 
pied substantial portions from his play that had been enacted in Delhi in 1953 
and had remade it into a film very shortly afterwards and alleged a violation of 
his copyright. The respondent denied this allegation arguing instead that the 
theme of provincialism that was common to both the play and the movie was 
a common theme and was not an original idea of the plaintiff. In deciding this 


104 


issue, the Supreme Court ruled that there can be no copyright in an idea, sub- 
ject matter, themes, plots or historical or legendary facts and violation of the 
copyright in such cases is confined to the form, manner and arrangement and 
` expression of the idea by the author of the copyright work. In this instant case, 
it was further ruled that if the defendant's work is nothing but a literal imita- 
tion of the copyrighted work with some variations here and there it would amo- 
unt to violation of the copyright. In other words, in order to be actionable, the 
copy must be a substantial and material one which at once leads to the conc- 
lusion that the defendant is guilty of an act of piracy. However in this case, 
while comparing the play and the film, the Court came to the conclusion that 
though the theme of provincialism may have been the same, the latter work 
had been presented and treated differently and that though there were some si- 
milarities appearing in the two works, there were also material and broad dis- 
similarities which negated the intention to copy the original and the 
coincidences appearing in the two works were clearly incidental. Thus there 
was no infringement of a copyright in this case. 

As recently as 2002, the idea/expression dichotomy issue was ad- 
dressed by the Delhi Court in Anil Gupta v, Kunal Dasgupta [28] wherein the 
plaintiff had conceived of a reality matchmaking television programme and 
approached the defendant regarding the televising of the same programme. It 
was alleged by the plaintiff that the defendant had usurped his idea and im- 
plemented and claimed a breach of his copyright. The defendant argued that it 
was only the expression of the idea and not the idea itself which could be pro- 
tected under the copyright. The Court while agreeing that an idea per se can- 
not be protected by a copyright also ruled that where the concept that has been 
the subject of the dispute is a novel concept, then it can be copyrighted even 
though it is just an idea. The rationale for this decision lies as the argument 
which was advanced by the Court that the concept developed and evolved by 
the plaintiff is the result of the work done by the plaintiff upon material which 
may be available for the use of anybody but what makes it confidential is the 
fact that the plaintiff has used his brain and thus produced a result in the shape 
of a concept and if defendant is allowed to show their own reality show based 
on the concept originally conceived by the plaintiff, it will be allowing the de- 
fendant to use that concept and to reap the fruit of the labour of the plaintiff. 

At this juncture, it is necessary to reiterate the subtle distinctions in 
the law that have arisen between the United States and the United Kingdom and 
mention how and why it is of immense relevance with regard to India. It is un- 
clear whether the corpus of Indian Law of Copyrights would be amenable to 
the concepts of functionality and substantial similarity while deciding the value 
of a copyright in a computer program, thereby subscribing to the procedure 


105 


followed by the U.K Courts as laid down in the Jbcos and Easyjet Cases, or 
whether the Courts in India would adopt the objective test strategy adopted by 
the American Courts in the Whelan Associates case and substantiate the propo- 
sition by using the accepted three step test given in the Altai Case. Lastly, there 
is also a substantial difference between the sources of law in the U.S.A and the 
U.K. The laws of copyright in the United States stem from Constitutional 
recognition whereas the principles of copyright law in the United Kingdom 
stem from the codification of Common Law principles. The general affinity of 
the Indian Legal system to Common Law principles would create a substantial 
debate between the applicability of U.S and U.K law in copyright cases within 
India. 

The way the courts have approached the dichotomy in the two juris- 
dictions itself has been quite different. While it must be acknowledged that it 
is difficult to make out a clear-cut distinction between an idea and an expres- 
sion, the American courts have been absolute in their decision to make ideas 
free from copyrights while the British courts on the other hand have held that 
where an idea is detailed to such a degree that it is impossible to delineate the 
idea from its expression, then such an idea can still be copyrighted. This dis- 
tinction gains importance in light of the fact that there has been as yet no in- 
stance of a software programme or technology conceptualised by one 
person/company being copied by another. Though the Copyright Act does say 
that only the owner of a computer programme can have the right to adapt or 
translate it, what happens when another person claims to have developed a 
similar, though not identical programme on the same theme that fulfils the 
same objective albeit in a different manner? The second person can very well 
claim that he has not modified or adapted the formers’ work and that he has 
merely worked on the same domain as the first programmer has. So what does 
an Indian court do in such an instance? Does it follow a British Court and take 
the approach that the Delhi High Court has adopted earlier in the Anil Gupta 
case by delving into the extent to which the first program is innovative, novel 
and detailed so as decide whether the concept of the program itself is novel in 
which case the very conceptualisation of the programme by the first person 
can be copyrighted or does it follow the American approach that the purpose 
for which the programme is created is taken to be the idea and rule that there 
can be no copyright granted to the first person in this regard because his ex- 
pression of his concept has not been copied (provided of course that the sec- 
ond person proves that his program is not something that he has created by 
tampering with the first person’s programme)? Under the first approach, even 
if it is shown that the second person has not created his programme by tam- 
pering with or modifying the work of another, a copyright can still be granted 


106 


to the first person as long as he can show that his idea is something novel and 
so detailed that the expression and idea cannot be separable or that the idea is 
an integral part or a substantial pert of the expression itself. 

In the R.G.Anand case that has been discussed earlier and which is to 
date, the only Supreme Court judgement concerning this particular issue, the 
Supreme Court has liberally cited a number of American and English authori- 
ties while justifying their decision. However, the Supreme Court never adver- 
ted to the fact that the English and American law on this subject are quite 
different, at the very least in theory, though this judgement tends to favour the 
English approach. The law of the land is to that extent inadequate and should 
have ideally examined both jurisdictions in isolation as was carried out in the 
subsequent and more contemporary Anil Dasgupta Decision. The outcome in 
R.G Anand concerned a copyright issue pertaining to the adoption of the theme 
or plot of an artistic work. Had the Supreme Court paid due regard to the dif- 
ferences of law in the America and the United Kingdom, then it is a logical 
conclusion that Indian law will have been able to accept the fact that situations 
will arise where the borrowing of a theme or a detailed idea may violate the co- 
pyright of the original author. The Court in R. G Anand has unfortunately omit- 
ted this distinction and as a result any future case concerning computer 
programs where a detailed analysis of copyrightable elements is required at 
every stage of the program’s preparation would automatically align itself under 
the decision in the R.G. Anand case and hence the pro-UK decision, which is 
definitely more progressive in its scope laid down in the Anil Gupta case has, 
as a result been rendered as obiter dicta. 

There will be a time in the near future when the Supreme Court will 
have to come to terms with this difference between the English and American 
laws and make a pronouncement regarding the same It would be unwise to 
ignore the American law altogether as it presents an accurate method of ana- 
lysing a computer program and breaking it down through a step by step method 
to obtain the copyrightable element with respect being given only to the origi- 
nal expression of the author and not to general ideas or knowledge. This mi- 
nute attention to detail as outlined by the American courts is extremely relevant 
is identifying the extent to which it is possible to delineate an idea from an 
expression. Thus the American system is more liberal in allowing development 
in various fields by encouraging authors to freely use available ideas and know- 
ledge. However the English system, on the other hand gives more attention to 
the original work of the author as a whole as against identifying particular ele- 
ments of expression that may be copyrighted. Importance is given to the deta- 
iled application of general principles of knowledge applied by the author in 
expressing his work and as a result can be protected by a copyright, going by 


107 


the decisions in Ibcos and Navitaire. Indian courts have traditionally followed 
the latter and more conservative approach with regard to general copyright law 
and there is nothing to suggest that Indian courts will make an exception with 
regard to the idea-expression dichotomy as and when they have to deal with 
this distinction. Thus there is always a balance of interests — between the inte- 
rests of the person whose ingenuity has created a particular idea that is novel 
and cannot be delineated from its expression on one hand and interests of so- 
ciety on the other, which will suffer if a copyright is granted to an idea itself, 
for it will discourage people other than the inventor himself from developing 
on this idea. The liberal approach is manifestly in favour of protecting the in- 
terests of the society at the expense of those of the inventor. So on the face of 
it, the traditional approach might seem to work against the greater good where 
the interests of society are sacrificed in favour of those of the individual in- 
ventor. However that is not the case as the liberal approach might in fact work 
against the greater good as well. This is because of the fact that by failing to 
grant protection to novel and innovative ideas by following the liberal appro- 
ach, American Courts tends to discourage people from developing novel ideas. 
The interests of Society would be affected more in a scenario where a person 
is discouraged from developing such ideas than in a one wherein a novel idea 
has been thought of by someone and protected for a prescribed period. This is 
often the reason why Indian courts have preferred the traditional approach to 
the liberal one with regard to copyright laws in general. 


5. Conclusion 


This distinction becomes relevant in light of the Anil Gupta case where it ap- 
pears that the Delhi High Court has followed the principles laid down by the 
British courts rather than those laid down by their America counterparts. How- 
ever it appears that Indian courts have not appreciated this distinction which be- 
comes evident when the Supreme Court actually cited both American and 
British authorities in its judgement. Given the recent stand taken by the Delhi 
High Court, one would not be too presumptuous if one were to assume that it 
would be the British law that would be of greater application in India. The en- 
tire Indian system of civil law has been given to the nation by the British and 
India has also extensively incorporated principles of common law and in fact, 
the original Copyright Act first framed in 1914 was itself a product of the 
British administration. Furthermore, the distinction between an idea per se and 
an idea from which the expression cannot be delineated — a distinction that has 
been ignored by American Courts — is one that is necessary as it would be man- 
ifestly inequitable in law if one person were allowed to use an idea or concept 
of another even though an idea per se cannot be copyrighted, especially in a 


108 


case where the latter has put in considerable amount of ingenuity to add a touch 
of novelty to his idea. If this distinction were removed, then one needs to pause 
and consider the plight of such a person who is put in a situation where he gets 
no reward for his ingenuity. So removing this distinction would in effect also 
result in removing incentives for creating new and novel concepts which will, 
in the long run, inevitably hamper the growth of software technology. However 
for the reasons that have been cited, the American law cannot be completely 
cast aside either. So it is important to analyse the pros and cons of applying ei- 
ther of these laws in India and as is often the wont when faced with choosing 
between two completely different viewpoints, it is best if one were to take a via 
media approach to solving this problem in the sense that we will have to work 
out a system where we can successful incorporate American law to the extent 
that we adopt their three step approach in analysing a computer program into 
the traditionalist English approach. 


Notes 


[1] See, e.g., Apple Computers v. Formula International Inc., 725 F.2d 521, 525 (9th Cir. 
1984). 

[2] See, e.g., Baker v. Selden 101 U.S. 99 (1879) 

[3] This holding of the idea/expression dichotomy was apparently codified in Section 102(b) 
of the US Copyright Act of 1976, which provides: “In no case does copyright protection 
for an original work of authorship extend to any idea, procedure, process, system, method 
of operation, concept, principle, or discovery, regardless of the form in which it is descri- 
bed, explained, illustrated, or embodied in such work.” 

[4] Section 106 of the same act says thus: To constitute a derivative work, the infringing 
work must be based upon the copyrighted work and incorporate a portion of the copyrigh- 
ted work in some form. A derivative work is defined in 17 U.S.C. Section 101 as a work 
based upon one or more pre-existing works, such as a translation, musical arrangement, 
fictionalization, motion picture version, sound recording, art reproduction, abridgement, 
condensation, or any other form in which a work may be recast, transformed, or adapted. 

[5] See Section 102 of the same act. 

[6] See the Final Report_of the National Commission on New Technological Uses of Co- 
pyrighted Works, 3 Computer/Law J. 53, 77 (1981) [rep.]. 


[7] See, e.g., Apple Computer v. Formula Int'l, 725 F.2d 521, 524 (9th Cir. 1984); SAS Inst. 
v. S & H Computer Sys., 605 F. Supp. 816, 818 (M.D. Tenn. 1985); Videotronics v. Bend 
Elec., 564 F. Supp. 1471, 1477 (D. Nev. 1983); Tandy Corp. v. Personal Micro Computers, 
524 F. Supp. 171, 173 (N.D. Cal. 1981); 17 U.S.C. at sections 101-117 (1982). 


[8] See, e.g., White-Smith Music Publishing Co. v. Apollo Co., 209 U.S. 1 (1908). 
[9] See, e.g., Computer Assocs. Int'l., Inc. v. Altai, Inc., 982 F.2d 693. 

[10] 49 F.3d 807. 

[11] 499 U.S. at 349-50, 111 S.Ct. at 1290. 

[12] Lotus Development Corporation v. Borland International Inc., 49 F.3d 807. 
[13]See, e.g., Toole v. Young (1874) LR 9 QB 523; Boosey v. Wight [1900] 1 Ch 122 


109 


[14] See, e.g., Ibcos Computers Ltd v. Barclays Mercantile Highland Finance Ltd [1994] 
FSR 275. 


[15] See, e.g., L.B. (Plastics) Ltd v. Swish Products Ltd [1979] R.P.C. 551 at 619, 633; 
Johnstone Safety Ltd v. Peter Cook (Int.) [1990] F.S.R. 161; Harman Pictures N.V. v. 
Osborne [1967] 1 W.L.R. 723 at 728; Hollinrake v. Trusweil [1894] 3 Ch. 420; McCrum v. 
Eisner (1917) 87 L.J. Ch. 99. 


[16] See, e.g., Hollinrake v. Truswell [1894] 3 Ch. 420 at 424. 


[17]See, e.g., Wilmer v. Hutchinson & Co Ltd [1936-45] Mac. C.C. 13; Kenrick & Co v 
Lawrence & Co (1890) 25 Q.B.D. 99; Gleeson v H.R. Denne Ltd [1975] R.P.C. 471. 


[18] Refer to the Copyright Acts 1956 and 1988. 


[19] See, e.g., L.B. (Plastics) Ltd v. Swish Products Ltd [1979] R.P.C. 619; William Hill 
(Football) Ltd v. Ladbroke (Football) Ltd [1980] R.P.C. 539 at 546; Leco Instruments 
(U.K.) Ltd v. Land Pyrometers Ltd [1982] R.P.C. 140. 


[20] See, e.g., University of London Press Ltd v. University Tutorial Press Ltd [1916] 2 Ch. 
601; Ladbroke (Football) Ltd v. William Hill (Football) Ltd [1964] 1 W.L.R. 273 at 277; 
Ibcos Computers Ltd v. Barclays Finance Ltd [1994] F.S.R. 275. 


[21] See, e.g., British Leyland v. Armstrong [1986] R.P.C. 279 at 296. 
[22] See, e.g., Nichols v. Universal Pictures (1930) 45 F. (2d.) 119. 


[23] See, e.g., Wilmer v. Hutchinson & Co Ltd [1936-45] Mac. C.C. 13; Kenrick & Co v 
Lawrence & Co (1890) 25 Q.B.D. 99; Gleeson v H.R. Denne Ltd [1975] R.P.C. 471; Total 
Information Processing Systems v. Daman [1992] F.S.R. 171; John Richardson Computers 
v. Flanders, [1993] F.S.R. 497. 


[24] See, e.g., Navitaire Inc. v. Easyjet Airline Company [2004] EWHC 1725 at 1 87. 
[25] (1985) 5 I.P.R. 213. 

[26] 101 U.S. 99 (1879). 

[27] AIR 1978 SC 1613 

[28] IA 8883/2001 in Suit no.1970 of 2001. 


References 


1) Thomas M. Gage, Whelan Associates v. Jaslow Dental Laboratories: Copyright Pro- 
tection for Computer Software Structure- What is the Purpose? 1987 Wis. L. Rev. 859 


2) Peter G. Spivack, Does Form follow Function? The Idea Expression Dichotomy in the 

Protection of Computer Software, 35 UCLA L. Rev. 723 

Steven R. Englund, Idea, Process, or Protected Expression? Determining the Scope of 

Copyright Protection of the Structure of Computer Programs. 88 Mich. L. Rev. 866. 

4) Hugh Laddie, Peter Prescott and Mary Vitoria, (1995)The Modern Law of Copyrights 
and Designs, Vol.1, pp. 62-64, Butterworths, London. 

5) David Lingfelder, Differntiating idea and expression in Copyrighted Computer So- 
ftware: The Tests For Infringement, 13. 6 J.L. & Com. 419. 


3 


~ 


110 


Patent in Genetic Technology 


Chen Jinjin and Li Raojuan 
Xi’an Jiaotong University, China 


Abstract: Genetic technology, as a newly-emerging technology, 
has brought a profound impact on the world. The achievement of ge- 
netic technology necessitates legal protection. Patent law protection will 
greatly promote science and genetic economy development. However, 
patent law protection also raises numerous questions and disputes. Start- 
ing from the conception of gene, this paper analyses the gene sequence, 
the new transgenosis varieties of the animals and plants and the gene 
methods. The paper then provides an overview of the Chinese legal sys- 
tem on the protection of genetic technology, and puts forward sugges- 
tions to fill the gap in the lacuna created by the absence of specific 
relevant laws in China. 


Keywords: Patent, Genetic technology, Transgenosis 
1. Introduction 


In the past 20 years, the rapid development of genetic technology has led to the 
emergence of gene methods and products which are made use of in medical di- 
agnosis, pharmaceutical industry, agriculture, technology, environmental and 
food science. However, this has also given rise to complex problems which 
necessitates a legal solution. Presently, patent law protection of genetic tech- 
nology is applied in resolving intellectual property disputes. In the 70s, some 
developed countries have given attention to the patent protection in genetic 
technology cases. But as to the degree and scope of protection, as well as the 
establishment of a patent system of gene protection, there still remain con- 
tentious issues which need to be resolved. Can genetic technology be granted 
a patent? This is a complex problem because genetic technology includes the 
gene itself, genetic technology method, transgenosis organism, and biogenic 
products. Different countries have various approaches to the interplay between 
gene technology and intellectual property tights. China is struggling with this 
issue. The aim of this paper is to give a general overview of gene technology 
and to discuss the legal approach in China. 


1.1 The Concept of Gene 


Geneticists believe that genes are the material of nucleotide sequence on the 
DNA (deoxyribonucleic acid) molecule and DNA molecular fragments with a 


111 


genetic effect. Genes which are in a linear arrangement on chromosome do not 
only pass the gene information to the next generation through duplication, but 
also express gene information. It is an era when knowledge combined with 
economy brings economic benefits. The application and commercial value in 
the field of genetic technology, which is still in the initial stage, is promising. 

Some multinational corporations and the governments have already 

started to guard and search for "gene gold" in this new field. They apply for 
patents actively on their discoveries such as the HIV antibody genes, rare ge- 
netic characteristics of animals, plants and micro-organisms. However, the 
transfer fee and license fee of patent is extremely high for consumer and the 
business entity. 

The following cases illustrate the high cost involved in transfer and li- 

cense fee. 

e Corporation Amgen in United States invested 20 million dollars to 
buy exclusive development license right of an obesity gene from 
Rockefeller University in November, 1994. Corporation Amgen paid 
no less than 30 million dollars to Rockefeller University for the 
phased payment and product sales allowances afterwards. (Song, 
2000.) 

e Corporation Millennium in United States signed agreements with 
Corporation Wyeth-Ayerst on genes cooperation about disease re- 
lated to central nervous system in July, 1996. Corporation Wyeth- 
Ayerst paid about 90 million dollars to Millennium in the later 7 
years, which does not include the phased payment of allowances and 
products allowances of royalties and research-development cost. 
(Chong Song, 2000.) 

e FKBP ligand neural immune factors: In 1997, Corporation Amgen 
transferred FKBP ligand neural immune factors to Corporation Guil- 
ford with a transaction fee of 392 million US dollars which is so far 
the highest price among single gene transactions. (Chong Song, 
2000.) 


1.2. Development of new products 


Genetic resources often have close relations with human body. For ex- 
ample, AIDS antibody genes and other functional genomics have special effect 
on human health and beauty. A series of drugs and products which are helpful 
to our health can be developed by analysis of these genes. The output of global 
genetic engineering medicine market is about 20 billion US dollars and the 
number of varieties of gene drugs on the market is 53, 35 of which are very im- 
portant, mainly for cancer, anaemia, diabetes, hepatitis, haemophilia and car- 
diovascular diseases. (Rao Minghui, 2004) Compared with traditional chemical 
drugs, the main characteristic of gene drugs may lie in its less pollution cate- 


112 


gory. Pollution has become a headache for most people in the 21st century. 
Undoubtedly, genetic technology brings positive news in both the economy 
(huge cost on pollution treatments) and the building of a harmonious society. 

Genetic technology has also played a tremendous role in the transgeno- 
sis products. Transgenosis technology is to transfer exogenous gene to the cells 
of plants or animals, or modify the genes, then pass and express the results to 
the next generation steadily. There are currently countless transgenosis prod- 
ucts, such as Cherry-tomato, transgenosis soybeans, transgenosis rice and so 
on. The biotechnology products will take a growing share of the international 
trade during this century. 


2. Foreign approaches to Patent Protection of Genetic Tech- 
nology 


2.1 Gene Sequence 


As a carrier of gene information, gene is nucleic acid molecule, and it is a ma- 
terial of biochemistry. We can consider gene sequence as a chemical material. 
US Courts did not always think that natural materials existed depending on 
human being’s activities, or that they could be treated as the inventions of 
human being. The cognition was strictly obeyed as a legal principle in the early 
Patent Law. In Funk Bros. Seed. Co. v Kalo Inoculant Co (1948), the United 
States Supreme Court held that natural materials could not be granted patent. 
(Zhang Naigeng,, 1995.) 

In the 1980s, the US Supreme Court set a precedent and reversed this 
view. In Diamond v. Chakarabarty (447 U.S. 303; 100 S. Ct. 2204, 65 L. Ed. 
2d 144, 206 U.S.P.Q. 193), Genetic engineer Ananda Mohan Chakrabarty, had 
developed a bacterium (derived from the Pseudomonas genus) capable of 
breaking down crude oil, which he proposed to use in treating oil spills. He re- 
quested a patent for the bacterium in the United States but was turned down be- 
cause the law dictated that living things were not patentable. The Patent Office 
Board of Appeals agreed with the original decision; however, the United States 
Court of Customs and Patent Appeals overturned the case in Chakrabarty's 
favour. The Commissioner of Patents and Trademarks appealed to the Supreme 
Court and on June 16, 1980, the United States Supreme Court ruled in favour 
of Chakrabarty, and upheld the patent, holding that: 


“A live, human-made micro-organism is patentable subject matter 
under [Title 35 U.S.C.] 101. Respondent's micro-organism constitutes 


a "manufacture" or "composition of matter" within that statute.” 


Finding that Congress had intended patentable subject matter to "include 
anything under the sun that is made by man," he concluded that: 


113 


Judged in this light, respondent's micro-organism plainly qualifies as 
patentable subject matter. His claim is to a nonnaturally occurring 
manufacture or composition of matter - a product of human inge- 


nuity. 


To a certain extent do people separate or purify natural materials to make them 
out of natural state, they can assert patent right. 


2.2 Genetic Technology Method 


Genetic technology method is a method invention using gene’s extraction, re- 
arrangement, preservation, carry, propagation and so on to create live organism 
or other components or to reform animals and plants, microbe and even part or- 
ganization of organism. (Hu Zuochao et al, 1993)There are two kinds of 
method inventions in the field of biology, namely mainly biological method 
and mainly non-biological method. The difference between these two method 
inventions depends on the level of people’s technology involvement. If the 
people’s technology involvement has a dominant and decisive effect on the re- 
sult of the method, it is mainly non-biological method. (Lying-in et al, 
2003)Genetic technology method belongs to mainly non-biological method. 
Scientists and technicians break the natural attribute of self-reproduction and 
evolution of species through genetic technology intervention to achieve the re- 
sult they want. Most countries have already admitted that genetic technology 
method should be granted patent. 


2.3 Transgenosis Plants and Animals 


a. United States’ attitude towards protection of new plant varieties 


As for the new plant varieties, the intellectual property protection of United 
States is a little complex, and includes the following: plant patent, right of plant 
varieties, practical patent, Botanical Technology Method Patent of 1995 and so 
on. Before the 1980s, the PTO generally refused to grant patent to new plant 
varieties, because the PTO thought that plant belongs to natural products. After 
Diamond V. Chakrabarty, the PTO began to grant patent to microbe, but still 
refused to grant patent to new plant varieties. In Ex Parte Hibberd, the right of 
plant breeders to patent their plant materials under Section 101 of the US Pa- 
tent Act was established. This provided new opportunities and possibilities for 
plant breeders and seed companies to protect their products. However, seed 
companies seem to be comfortable with the protection available under the Plant 
Varieties Protection Act, as it is generally considered more difficult, and more 
costly, to take out a utility. After ex-parte Hibberd, the United States begun to 
grant patent to new plant varieties. 


114 


As for the transgenosis animals, the United States was the first country 
to grant patent to transgenosis animal varieties. The first patented transgeno- 
sis animal in United States was a mouse known as the "Harvard Mouse." (Yan 
Qitai, transgenosis animals patent, http://www.patent104.idv.tw/bb.rtf) 


b. UPOVC 


Because of the development of plant breeding programmes, extensive discus- 
sions over how to most effectively protect new plant varieties and the breed- 
ers turned up. In contrast to the action taken in the US, the view in Europe was 
that plant material should not be patented. For example, Article 4 of European 
Union "directive on legal protection of biotechnological invention” provides 
that "plant and animal varieties" are not proprietary. (http://www.chi- 
nalawedu.com/) 

As a result of these legal discussions, the plant variety right was set 
down. In 1961, the first international treaty to protect new plant varieties was 
adopted, namely, the International Convention on the Protection of New Vari- 
eties of Plants (UPOVC).Article 2 of the 1961 UPOVC states: 


Each Member State of the Union may recognize the rights of the 
breeder provided for in this Convention by the grant of either a special 
title of protection or of a patent, a Member State of the Union whose na- 
tional law admits protection under both these forms may provide only 
one of these for one and the same botanical genus and species. 


The protecting scope of 1961 UPOVC was restrained to the reproduc- 
tive or vegetative propagating material; other materials were not included, even 
they were very important to the breeder. The UPOVC has been revised three 
times since 1961. The two main revisions taking place in 1978 and 1991. Ar- 
ticle 2(1) of 1978 UPOVC states that Member states must provide either patent 
or plant variety protection in accordance with the provisions of this Conven- 
tion but not both. It adopted a dual protection ban. 

In 1991, UPOVC was revised with additional provisions which. each 
member state can choose to apply. Article 14(3) of 1991 UPOVC stipulates 
the scope of the breeder. It expands the protecting scope to the materials that 
are beyond the reproductive or vegetative propagating material, and explicitly 
permits each member state to grant their new plant varieties patent. The 1991 
UPOVC gives up the dual protection ban for new plant varieties of the 1978 
UPOVC. 


115 


3. China’s Patent Protection of Genetic Technology 
3.1 Gene Sequence 


Whether gene sequence can be patentable or not is contentious topic in China. 
There are an increasing number of people who apply for patent for gene se- 
quence in China. For example, on April 21st, 1999, AIDS prevention and con- 
trol centre of the Chinese Ministry of Health and Harbin Veterinary Research 
Institute of Chinese Academy of Agricultural Science applied gag Gene of 
Donkey Leukocyte Attenuated Equine Infectious Anaemia Virus for patent. 
There are no relevant provisions about gene sequence in the Patent Law of 
China, but the Examination Guidelines of Chinese Patent Office in 2006 pro- 
vides some rules on novelty, inventiveness and practical applicability about 
gene sequence. 


e On novelty. Article 9.4.1, Chapter X, Part 2 of Examination Guide- 
lines states that novelty depends on whether the sequence has al- 
ready been known or not. 

e On inventiveness. Article 9.4.2, Chapter X, Part 2 of Examination 
Guidelines refer to the United States non-obvious standards, namely 
that gene sequence’s creativity does not depend on the methods that 
identify the gene sequence, but on the molecular structure of DNA 
or the arrangement sequence of the amino acid of protein. However, 
China has stricter standards than the United States. First, China re- 
quires that the applicant provides experimental data; second, the de- 
scribed usage of the invention must actual exist instead of expected. 

e On practicality. China does not provide “well established utility” as 
the United States, Examination Guidelines use industrial utility. 


Actually, it is not easy to secure a patent under the United States and 
European Patent Office. Granting patent to gene sequence undoubtedly ex- 
pands the concepts of originality and creativity; meanwhile, expansion of these 
concepts means expansion of monopoly of patent right. As a result, it is prob- 
ably that patentees’ monopoly right goes far beyond the level that he deserves, 
and it will sacrifice social interests. People find gene sequence through certain 
methods, and then extract it from organism by further experiment, but they do 
not invent a new material. In fact, people have already known the existence of 
this material, but do not know how to extract it. It is better to grant the method 
that extracts the material patent than to grant the material patent. Furthermore, 
if there are many people using different kinds of methods to extract the same 
gene sequence, who should the patent be granted to? As a general rule, , the 


116 


patent rights are given on a first come basis, The one who is granted patent 
gains monopoly right of the gene sequence and the others who subsequently 
extract the same gene sequence through other different methods pay for using 
it. 

This logic is fallacious. By analogy, should Christopher Columbus be 
granted a patent for discovering America? People should not be granted patent 
simply because he is the first one to know the structure of materials. All com- 
mon researchers can gain gene sequence through DNA rebuild technology. 
Thus, we should not grant patent to gene sequence. For example, in 1991, the 
United States National Health Centres decided to grant patent to the gene se- 
quence gained in The Human Genome Project. This decision sparked protest 
and disagreement from scientists all over the world. The decision expanded 
the saying that, “anything under the sun that is made by man can be protected 
by Patent Law”. 

The decision ignored the key word “made by man” “Made by man” 
means the creative participation of man, and subsequently results in new things. 
It is different from purifying gas from crude oil. Gene sequence should not be 
granted patent. 


3.2 Genetic Technology Method 


Article 25 of Patent law of China states that the methods that produce plants 
and animals are patentable. The Examination guidelines of Chinese Patent Of- 
fice in 2006 also prescribe that mainly non-biological method, including ge- 
netic technology method can be granted patent. Article 2.1 of The Examination 
guidelines of Chinese Patent Office states: 


The material itself and the method to get the material can be granted 
patent when, 

e it is the first time to separate or extract this material from natural 
material, 

e the structure, morphology, and other physical and chemical para- 
meters of the material can not be identified or correctly characteri- 
zed by existing technology, 

e valuable in the industries 


There are detailed requirements about how to prepare manuals for 
method invention in Article 9.2.2.2. However, the main difficulty is whether a 
genetic technology meets the requirements of practicality. That is, they must be 
a repeatable reproduction of non-biological method, such as conventional 
method like disease clinics. In reality, many traditional biology breeding, rear- 


117 


ing and nurturing methods affecting by individual characteristics lack of re- 
producibility, so they can not be granted patent because they do not have re- 
quested practicality. 

Genetic technology method is a method invention. Besides patent pro- 
tection, is there any other way to protect it? Actually, what people really want 
to get is not the method, but the organism, other components, reformed animals 
and plants, microbe and even the part organs of the organism. It is these fol- 
low-up products that benefit the society. 

The authors hold that technology secret protection will be an effective 
way to protect genetic technology method. 


Gene technology 


R&D Fee 
Follow-up products 


Reach the consumer 









Patent Fee 






Gene technology 


Follow-up products 


Technology secret protection Patent protection 
















From the illustrations above, we can see that technology secret protec- 
tion is cheaper and costs less time than patent protection. Firstly, under the 
technology secret protection, there are only two stages from the genetic tech- 
nology method to the eventual products. Under the patent protection, it requires 
three steps. The length of time it takes to apply and acquire the patent license 
makes it vulnerable to theft and public exposure. 

Secondly, other people can also gain genetic technology method through 
reverse engineering to break the monopoly of the patent holder. Inevitably, 
competing products appear in the market, spurring further development of the 
technology as rivals fight over the market. For example, Coca Cola adopts 
technology secret protection to protect its secret recipe. Over the years, Coca 
Cola has not only captured the greater share of the soft drinks market, but has 
also continued to develop new flavours. 


3.3 Transgenosis Plants and Animals 


In 1999 China has acceded to the 1978 UPOVC, and committed to protect the 
rights of breeder Article 25 of Patent Law of China states that for any of the fol- 
lowing, no patent right shall be granted: 

1) scientific discoveries; 

2) rules and methods for mental activities; 


118 


3) methods for the diagnosis or for the treatment of diseases; 

4) animal and plant varieties; 

5) substances obtained by means of nuclear transformation. 

For the processes used in producing products referred to in items (4) of 
the preceding paragraph, patent right may be granted in accordance with the 
Provisions of this Law. 

On March 20th, 1997, China promulgated the “Regulations of Protection 
of New Plant Varieties”. By July 1999, there had been 154 plant varieties re- 
spectively asking the Ministry of Agriculture and the State Forestry Adminis- 
tration for protection, including rice, corn, cabbages and so on. According to 
this Act, the rights for production, sales, transfer of the obligee are equivalent 
to patent rights. But the minimum period of protection is 15 years, longer than 
the minimum patent protection period. In fact, China has already started to pro- 
tect plant varieties in the level of patent protection. Taking the farmers inter- 
ests into account, this regulation also provides that farmers can propagate and 
use the propagation materials of new plant varieties without permission of the 
obligee. They do not even have to pay for them. This provision reflects the 
protection for social interests when the obligee is fully protected in the course 
of intellectual property legislation. 

Clearly, the protection of plant varieties is reasonable and necessary. 
However, the "Regulations of Protection of New Plant Varieties" is only an ad- 
ministrative regulation promulgated by the State Council. In order to achieve 
higher levels of protection, a special law is needed to protect new varieties of 
plants classify new plant varieties to patent protection. 


4. Recommendation 


China has kept pace with the world's research of transgenosis plant .In order 
to encourage domestic enterprises and technicians to obtain more technical 
achievements in this field, it must also provide patent protection to the 
transgenosis plant technology. Furthermore, the patent protection of transgeno- 
sis plant will be conducive to the introduction of foreign advanced technology. 
In this respect, China should learn from Europe and the United States, and pro- 
vide patent protection to the new varieties of transgenosis plants. 

There are two ways to protect new plant varieties in China, one is to 
apply varieties rights, the other is to apply patent of the methods that produce 
new plant varieties, and the second gives an indirect protection. 

As regards to transgenosis animals, Article 25 of Patent Law of China 
clearly excludes new animal varieties from the patent object, and it only per- 
mits patent application on the method of gaining new animal varieties. 

The forms of protections to transgenosis animals and transgenosis plants 


119 


should be similar while considering that they are all important component of 
inventions in the field of genetic technology. The authors suggest two ways to 
extend the protection. The first is to protect the method of transgenosis ani- 
mals and plants by technology secret. The reasons and practices are just the 
same as what are mentioned above. Another way to protect transgenosis plants 
and animals is granting a patent. However, some practices are complicated. 
For example, the United States protects new plant varieties through granting ri- 
ghts of plant varieties, while China applies the "Regulations on Protection of 
New varieties of Plants". The UPOVC gives its member states the right to cho- 
ose either method of protection. After all, they will also limit the varieties of 
the new plants which should be protected. For example, the directory of new 
varieties of Plants in Chinese "Regulations on Protection of New varieties of 
Plants" has only 25 kinds. Complicated procedures such as inspection, verifi- 
cation, and determination should be taken if a new variety emerges. It is more 
convenient, economical and effective to choose a simple, workable and unified 
method to protect transgenosis plants and animals since the International trend, 
especially in the field of intellectual property rights, is overwhelming. 


5.0 Conclusion 

The general level of China's gene theoretic and genetic technology is back- 
ward, and the patent protection of genetic material in China is complex. The 
Patent Law of China has responded o this emerging technology by providing 
a protective mechanism for the genetic technology. However, further legisla- 
tion is needed to ensure a fair balancing of interest. 


References: 


1) Song, C. (July 12, 2000) “War of gene loot: a new enclosure movement”, “China Eco- 
nomic Times” 
2) Minghui, R. (2004) “On rights group of gene”, China Judicial Internet 
3) Naigeng, Z. (1995) “Case of the United States Patent Law”, China Politics and Law 
University Press 
4) Hu Z, Tao, T., “Biotechnology and Patent”, Science Press, 1993. 
5) Li, Y. and P., Canjun (2003) On the Gene Technology Patent Protection”, Journal of 
Zhejiang University (humanities and social sciences) 

6) Yan, Q. (2007) “transgenosis animals patent", Viewed at http://www.patent1 04.idv.tw/ 
bb.rtf 


7) http://www.chinalawedu.com/news/2 1604/6500/7 1/2005/1/ma27061249341421500242 
294 156840.tm 


120 


Internet Domain Names Interrelationship with other 
legal rights: Israeli and Palestinian perspectives 


Mohammad Alramahi 


Lecturer in Law 
The Robert Gordon University, Aberdeen, UK 
m.alramahi@rgu.ac.uk 


Abstract. Rights over domain names arise from the contract that 
governs the relationship of the domain name registrant with the registrar 
(the entity that undertakes domain names registration on the Internet). 
Additionally, rights may also be established under Intellectual Property 
Rights (IPRs) created and governed by statute concerned. This paper 
provides a comparative analysis of the domain names protection in the 
field of intellectual property law. Focus is centred upon the study of the 
Israeli and Palestinian law. The purpose of this study is to find out si- 
milarities and differences between the two legally recognised rights in 
a case of infringement and simultaneously between those two rights in 
the Israeli and Palestinian jurisdictions. In order to achieve such pur- 
pose, domain name legal status and dispute treatment will be underlined. 
A comparison of the instrument and means of protection will follow. 
The research will deal with various aspects of infringement paying par- 
ticular attention to the problems of the adequacy of trademarks law to In- 
ternet domain names and the difficulties encountered in both 
jurisdictions. 


1. Domain Name System (DNS) 


The domain name system (DNS) serves the central function of facilitating 
users’ ability to navigate the Internet. It does so with the aid of two components; 
the domain name and its corresponding Internet Protocol (IP) number. [1] A do- 
main name (DN) is the human-friendly form of Internet address that is both 
easy to identify and to remember such as <www.amazon.com> or 
<www.yahoo.com>. The “real” Internet Protocol address is a string of num- 
bers, which comprise four numbers in the range 0-255 separated by dots. 

As such, the IP address is just like any telephone number, which identi- 
fies a particular computer on the Internet. Consequently, the IP address is dif- 
ficult to use and remember (e.g. 217.64.231.68 is the IP address of the London 
department store <harrods.com>). 

Technically, a DN is divided into a Top Level Domain (TLDs), and a 
Second Level Domain (SLD). The TLDs, in turn, are divided into two major 
categories: generic top-level domains (gTLD) such as (.edu, .net, or .com) [2] 


121 


and country-code top-level domain (ccTLDs) such as (uk, .jp, or .gr). Thus, in 
the domain name <www.amazon.com>, the string of characters <amazon> is 
the second-level domain registered in the top-level registry <.com> file zone. 

The DNS has servers located all over the world which do the task of 
converting the DN to the allocated numeric address so that when a DN is typed 
into a computer the Internet software automatically converts the typed in DN 
to the corresponding numeric address enabling contact with the associated In- 
ternet site. In order to avoid criss-cross of connections and overlapping of ad- 
dresses the allocation of the DN and the corresponding numeric address has to 
be strictly regulated. Since 1998 the Internet Corporation for Assigned Names 
and Numbers (ICANN) does this.[3] It is a non-profit organisation that was 
formed to take over the responsibility for the IP address space allocation, pro- 
tocol parameter assignment, DNS management, and root server system man- 
agement; it is an Internet-community-based organization.[4] 


2. Background 


The two Internet domain names leading points in Israel and Palestine are the 
Israeli Internet Association (ISOC-il) and the Palestinian National Internet Na- 
ming Authority (PNINA), respectively. 

The ISOC-il was established in 1994 as an independent entity that acts 
to promote the Internet and its integration into Israel’s technological, research, 
educational, social and business infrastructure. However, the domain name re- 
gistry has not been managed until 1997. At present, 111,239 domain names are 
registered in Israel. The Association is currently labouring to change Israel’s 
existing domain name registration process to one based on registration by cer- 
tified registrars. This change in the domain registration process is expected to 
further improve the level of service the local internet community receives in 
this field. [5] 

However, PNINA which is responsible for administering and operating 
the Palestinian ccTLD .ps was not found until early 2004 when it commenced 
its official operation under the .ps, this is largely because the .ps top level do- 
main was not obtained until March 2000. PNINA’s role is to realise the Pale- 
stinian on-line presence through the formulation of registration policies, 
administer the .ps domain Registry, and to enhance and promote Internet usage 
in Palestine. [6] 

To register a name under the .il ccTLD, the ISOC-il Rules for the Allo- 
cation of Domain Names at the .il version 1.3 (The Rules) [7] requires an ap- 
plication for allocation to be made by the party who will hold the domain name 
or by a third party, including by way of an ISOC-IL Accredited Registrar 
(“AR”), on behalf of the name holder (collectively “Applicant”). The ISOC-IL 


122 


will then examine the application on a "first-to-apply, first-served"[8] basis 
whether the requested Domain Name meets the criteria set forth in the Rules 
in force at the time the Application is submitted, and determine whether to al- 
locate the Domain Name. The Rules prohibit some domain names from being 
allocated for reasons, such as, technical, or names shorter than three characters, 
when a domain names already allocated, or for rules non-compliance reason, 
or if the name offensive or barred by Israeli law.[9] 

The ISOC-IL issued a list of SLDs that can be applied to register a 
name under, however the list is subject to change without prior notice (5.3), the 
current list appears as; 


5.1 (a). .co.il - intended primarily for, but not limited to, commercial 
entities. 
5.1 (b). .org.il - intended primarily for, but not limited to, 
non-commercial entities. . 
5.2. Domain Names will be allocated under one of the following SLDs 
to Holders meeting the following criteria: 
5.2 (a). .net.il - for Internet Service Providers holding a valid Internet 
Service Provider license from the Israeli Ministry of Communications. 
5.2 (b). .ac.il - for academic institutions of higher education that have 
been recognized by the Committee for Higher Education ("MALAG"). 
Registration of Domain Names under this SLD is done in consultation 
with MALAG. 
5.2 (c). .gov.il - for governmental entities of the State of Israel. The 
Government Internet Committee of the Ministry of Finance ("Com- 
mittee") has been currently tasked with allocating Domain Names 
under this SLD. Applicants may refer to the Committee's website at: 
http://www. itpolicy.gov.il/registrar/gov_il.htm. 
5.2 (d). .idf.il - for Israel military entities. The IDF Central Computing 
Facility ("“MAMRAM") has been currently tasked with allocating Do- 
main Names under this SLD. Under this SLD, only Domain Names 
authorized by MAMRAM will be allocated. Applicants seeking allo- 
cation under .IDF.IL should contact MAMRAM directly. 
5.2 (e). .k12.il - for kindergartens, elementary schools, and high scho- 
ols as classified by Ministry of Education. Allocation under the 
.K12.IL SLD is made in the fourth level in the following format: 
..K12.1L. Any deviation from this format is subject to the Ministry of 
Education's approval. 
5.2 (f). .muni.il - for municipal and local government authorities. 


Domain Names under the MUNLIL SLD are allocated to municipal bo- 
dies within the State of Israel. Domain Names allocated under the MUNLIL 
SLD will be made in accordance with the formal "List of Settlements" publi- 
shed regularly by the Central Bureau of Statistics. 


123 


In all cases, Domain Names will be allocated-only to the formal repre- 
sentative of municipal bodies. In case there is more than one body representing 
a settlement, the municipal body will be allocated a name under MUNLIL 
while any other body will typically be allocated a name under ORG.IL. 

Requests for a different spelling (only) for a Domain Name may be sub- 
mitted to ISOC-IL, provided that: 


e There is a letter, signed by the head of the municipal body, on mu- 
nicipal stationary, that details the desired spelling; 

e There is no prior allocation (or pending allocation) of a Domain 
Name spelled according to the "List of Settlements"; and 

e The Domain Name requested represents only a different spelling of 
the formal name of the municipal entity, and no other change, when 
compared to the formal “List of Settlements”. 


In principle, the registration processes under .ps is open to any entity in- 
side and outside Palestine to apply and register a domain name under .ps. Ho- 
wever, the only entities allowed to register under .ps are those with legal 
presence in Palestine, registration can be made for active or inactive future 
usage. 


The .ps registration operates in accordance with the first-come, first-se- 
rved principle. All entities seeking to register under the .ps domain must fill and 
submit an application through one of the Certified Registrars (CR) who in turn 
submit them directly to PNINA. A domain name must be absolutely unique 
and available and each application for registration will have to meet a number 
of some requirements, such as, comply with technical features, or to refrain 
from infringing local or international trademarks rights, registered trademarks, 
service marks or a well-known company name or its abbreviation unless the re- 
gistrant is the owner of this Trademark, Service mark or company, in this case, 
a proof of ownership or legal rights to the name may be required. The name 
should not interfere with the rights of a third party. In addition, the name being 
registered should not be used for any unlawful purpose or activities not per- 
mitted by the Palestinian law, the name can not be any of the excluded or pro- 
tected ones as defined by PNINA in its protected names database. A broad 
categorization of these names is Palestinian geographic names, offensive and 
obscene names, religious names, famous names and natural (common) names. 


The PNINA reserves the right to reject any registration application if the 
domain name does not comply with the rules outlined above, if the application 
form are incomplete, if the name is identical to an already registered name, if 
the name is one of the excluded or protected ones as defined by PNINA in its 
protected names database, if the name does not comply with public ethics, if 


124 


is registered for purpose of financial gain and profit, or if the name infringes 
on the legal right of a third party.[10] 


Section (3.7.) at PNINA registration policy, provides that domain Names 
can be registered directly under the .ps domain or under one of the following 
chartered domains, namely: 

e edu.ps : for educational Institutions. 

e  gov.ps : for institutions of the Palestinian National Authority (PNA) 

and the future state of Palestine. 

e plo.ps : for institutions of the Palestinian Liberation Organization 

(PLO). 

e sec.ps : for security organizations of the Palestinian National Au- 

thority and the future state of Palestine. 

e com.ps, net.ps and org.ps : for all entities such as commercial, ne- 

twork companies, ISPs, NGO's and individuals. 


3. Domain Name Legal Status 


Before searching the Israeli Palestinian instruments and the means to protect 
domain names, it is vitally important to consider the legal status of the domain 
name in the first instance. What is the status of a domain name under Israeli and 
Palestinian registration polices and laws? The exact question has not been con- 
sidered before any court in any of the two countries. However, looking at the 
ISOC-il Rules for the Allocation of Domain Names, it defines a domain name 
as being an entry on ISOC-IL's register database, reflected by the .il Domain 
Name System name servers as part of the resolution service provided by the 
Registry. A Domain Name is not an item of property and has no “owner”. [11] 

It is clear that in accordance with these rules, a domain name registra- 
tion under .il is no more than entry to the database, but does not give rise to any 
property rights. Therefore, the reference to domain name registration through- 
out the policy and the rules was as domain name “holder”. This will give no fur- 
ther rise to any rights beyond “relative” contractual rights with the ISOC-il 
registrar. 

However, looking at the PNINA rules, even though it does not address 
the issue specifically, it refers occasionally to a domain name registrant being 
the name owner (i.e. The Domain delegation is personal and not transferable 
from a domain owner to a new domain owner unless the domain name is trans- 
ferred with the business assets of the Registrant).[12] It defines registrant as an 
entity which has registered a domain or in the process of registering one. [13] 
PNINA will therefore be likely to accept that a successful domain name regis- 
tration into their databases will give rise to ownership over the name “absolute 
rights”. 


125 


As mentioned above, the issue has still not been considered before any 
Israeli or Palestinian court. However, examining the literature, the likely ap- 
proach is that to draw a distinction between a domain name being an absolute 
or relative rights. A domain name mere registration is based upon the conclu- 
sion of a contract with the ISOC-il or PNINA. In light of this contractual rela- 
tionship between the various parties concerned, some authors believe that the 
mere registration provides the registrant with a relative right, that is a right that 
can exercised against a specified party (mainly the ISOC-il or PNINA). Some 
other authors compare the domain names with other intellectual products of 
the human mind such as works that are protected for instance, by copyright 
laws, trademarks or trade names, geographical indications...etc. However, a 
domain name mere registration or use does not in itself result in the acquisition 
of any rights, whether trademark rights or otherwise, and in order to give rise 
to an independent intellectual property rights that can be used against subse- 
quent users and hence provides the registrant with absolute rights, that is, a 
right that can be exercised against everyone, the domain name will have to be 
used in commerce and where the domain name has the necessary characteris- 
tics of distinctiveness. This will largely depend upon the manner of “use” on 
a case by case basis. 

Other jurisdictions have provided different answers and in essence, there 
is not a uniform answer to the issue, for example, the U.S. Virginian Circuit 
Court was one of the first to consider the issue in Umbro International, Inc., v. 
3263851 Canada, Inc., and Network Solutions, Inc,[14] the Court held that do- 
main names are used to be a form of “intangible intellectual property” and sub- 
ject to judicial sale to satisfy a monetary judgment against a domain registrant. 
It is clear that the court reached such a conclusion due to the following reasons: 
firstly, the domain names could be evaluated as such, and secondly, under the 
U.S. regulations for trademark protection, the interested domain name holder 
could apply and be granted with registration of the domain as a trademark in 
the Patent and Trademark Office. 

Nevertheless, this decision has not prevented some authors from draw- 
ing an economic analogy to the domain name being more similar to real estate, 
and for this reason the efficient protection for them is somewhere closer to real 
property law than traditional trademark law.[15] 

In the landmark “Pitman case”/16] the UK High Court of Justice held 
that the domain name holder could not base a claim on the grounds of property 
right. In later case the claimant Pitman Training Limited brought an action 
against Pitman Publishing Division of Pearson Professional Limited based on 
to unlawful transfer of the domain name ‘pitman.co.uk’ by the registrar 
Nominet UK to the defendant. The court found that such claim is groundless 


126 


due to lack of contractual relationship between the claimant and the defendant. 
The contract for registering a domain name exists and hence is binding only be- 
tween the domain name holder and the registrar. On the other hand the court 
held that in any case the domain name holder could only claim from the reg- 
istrar indemnification due to breach of contractual terms, but not to claim trans- 
ferring back of the domain name. 

The above findings are also further supported by other U.S. courts in 
Rose Marie Dorer and Forms, Inc., v. Brian Arel case. [17|Nevertheless the 
court is trying again to see into the legal nature of the domain a new kind of 
intellectual property, there are some very important conclusions; the court 
recognises that as new form of intellectual property the transfer of title could 
be performed only by new registration, i.e. by entering in new contract with the 
registrar; in addiction, the domain name is not a property right; the domain can 
only be give to its holder contractual rights, and the domain name cannot be 
evaluated as such but as a contractual right. 


4. Treatment of Domain Name Disputes 
4.1. Disputes Resolution Policies 


In the event of domain name disputes, the Israeli ISOC-il has introduced an al- 
ternative dispute resolution regarding the allocation of domain names under 
the .il ccTLD in accordance with the rules for allocation of domain names 
under .il.[18] The grounds of IL.DRP outlined in section (B, 3) 


3. Disputes regarding allocation of a Domain Name by a Hol- 
der may be brought by a third party ("Complainant") on the 
following grounds: 

3.1. the Domain Name is the same or confusingly similar to a 
trademark, trade name, registered company name or legal en- 
tity registration ("Name") of the complainant; and 

3.2. the Complainant has rights in the Name; and 

3.3. the Holder has no rights in the Name; and 

3.4. the application for allocation of the Domain Name was 
made or the Domain Name was used in bad faith. 


On the other hand, the Palestinian PNINA has voluntarily adopted the 
ICANN Uniform Domain-Name-Dispute Resolution Policy (UDRP) to reso- 
lve disputes under the .ps ccTLD. The UDRP, which was formally adopted on 
August 26, 1999, in order to resolve the rapidly growing number of domain 
name disputes, has been included reference to in the registration contract in 
the .ps ccTLD as an administrative procedure for dispute involving allegation 


127 





of abusive registration, under which trademark owners have to submit their 
complaints to a PNINA approved dispute resolution provider. Panels are em- 
powered to require registries either to cancel improperly obtained domain 
names or to require the transfer of the domain name in dispute to a successful 
complainant. Under paragraph 4(a) of the UDRP, the burden for the Compla- 
inant is to prove: 


(a) That the domain name registered by the Respondent is iden- 
tical or confusingly similar to a trademark or service mark in 
which the Complainant has rights; 

(b) That the Respondent has no rights or legitimate interests in 
respect of the domain name; and 

(c) The domain name has been registered and used in bad faith. 


From the above, it is clear that the two policies are aimed primarily at 
domain name trademark, trade names disputes, and (registered company or 
legal entity names in Israeli disputes). It is not aimed at the broad concept of 
“rights” in relation to domain names. Although, domain names protection to 
other IPRs have been addressed and recognised at section 3.9.7 of the Palesti- 
nian Registration Policies and Procedures for Registering Domains under the 
-ps ccTLD, “The name cannot be any of the excluded or protected ones as de- 
fined by PNINA in its protected names database. A broad categorization of 
these names is Palestinian geographic names, offensive and obscene names, 
religious names, famous names and natural (common) names.” This has not 
been translated into the PNINA resolution policy since they have adopted the 
UDRP, meaning that, in principle, a domain name holder who has developed 
IPRs (except trademarks) in the name will not be eligible to challenge a third 
party under the policy. It therefore provides inadequate remedy to the regi- 
strant. 


4.2. Domain Names Trademarks Disputes 


The main reason for the disputes between the domain name and trademark is 
that a domain name must be absolutely unique, while names in which legal 
right subsist are only relatively unique. Moreover, the Internet is a global trade 
medium and it disrespects any geographical barriers that, to an extent, apply to 
business in the normal world. 

Often when trademark owners realise the commercial power and value 
of incorporating their marks in domain names, it was sometimes too late. The 
domain name registration system was not interested in trademark rights and 
supplied registrations to whoever was willing to pay the appropriate fee on a 
“first come, first served” basis. 


128 





This lead to a situation in which some persons “third parties”, often re- 
ferred to as a cybersquatters, who do not posses right in such domains, register, 
in bad faith, a number of trademarks as a domain names with the intention of 
selling the domain names to the mark’s owners for a very high prices in order 
to make a high profits. Cybersquatters exploit the first come, first served na- 
ture of the domain name registration system to register as a domain name, third 
parties’ trademark or business name, as well as variations thereof. 

A domain name incorporating a trademark may constitute a trademark 
infringement, if used in a trademark sense without having legitimate trademark 
proprietor rights. A trademark in the context of a domain name may, however, 
be fairly used for purpose of comparative advertisements, spare parts dealers 
and resellers, so long as the “use” itself passes successfully the likelihood of 
confusion examination and that the “use” conveys to the consumers the genu- 
ine nature of goods or services in good faith.. 

Registrations of a large number of domain names incorporating trade- 
marks constitute evidence of bad faith that may consequently fall the “use” 
into unfair commercial use. (see; Panavision v. Toeppen) In addition, registe- 
` ring a name and then offering to sell it back to the genuine trademark proprie- 
tor may also seen constitute evidence of unfair use. Even though if the domain 
name used for a comparative advertisements purpose. 

The non-commercial use is permissible under established trademark law 
principles. The example for a non-commercial use, among others, can be for 
criticism or commentary purposes. The exception is whether the website is a 
genuinely critical or not. For instance, posting a commentary on the website 
when the trademark owner refuses to purchase the domain name from its re- 
gistrant is an evidence of unfair use of the trademark.[19] In addition, a num- 
ber of ICANN UDRP cases supports that a domain name registered and used 
in bad faith will lead to “unfair use”, hence, transferring or cancelling the na- 
me’s registration. Even though if the domain name was used for criticism or 
commentary purpose.[20] 

If a domain name used for a fan club website purpose, that will satisfy 
the fair use requirement for non-commercial use purpose. Hence this type of 
uses should be considered a legitimate and fair use.[21] Nominative or de- 
scriptive use is a non-commercial use is also considered legitimate.[22] 


4.3. First Domain Name Dispute 


The ISOC-il has issued its first ruling in early 2000 to transfer a domain name, 
waltdisney.co.il, from an individual to its trademark owner, Walt Disney Com- 
pany (US). The Advisory Committee Panel (ACP) has examined the dispute 
from both standpoints- that of the legality of the allocation under (the Rules) 


129 





and that of the legality of the allocation under the general laws of the State of 
Israel. “We have found that ISOC-IL allocated the name in accordance with the 
Rules. However, we have also found that the Respondent’s actions constitute 
a bad faith use of a legal right, and that accordingly, the allocation must be re- 
voked”. 

In another instance, the Tel Aviv District Court ruled that the registered 
trademark owner is the legal holder of a domain name. In the case of Nana 
Disk v Netvision, the Haifa District Court in August 2001 ruled that Netvision 
could use the name Nana in its Internet portal despite the fact that the plaintiff 
had made use of the name in its music business, since trademark had been re- 
quested. A similar issue was raised in May 2006, when Walla, one of the lar- 
gest portals, requested from the Tel Aviv District Court to instruct Red Rob, a 
clothing company, to stop using the name Walla for one of its fashion lines. 

The first Palestinian ruling under the .ps ccTLD was delivered in Octo- 
ber 2005, in the Inter IKEA Systems B.V. v. JOHN JONES Case No. D2005- 
0001[23], the sole panel ruling was unsurprisingly in favour of the trademark 
owner IKEA (complainant). i 


5. Other Instruments and Means of Protection 
5.1. Trademark Laws 


It has been identified that the rights arising pursuant to contractual relation- 
ship are “relative”, entitling the registrant to seek only a fulfilment of obliga- 
tions from the registrar with no further remedy from third parties. In addition, 
both policies require a showing of bad faith. However, in the absence of bad 
faith a court action may still be brought in for any IPRs infringement including 
trademark infringement and unfair competition. 

Israel and Palestine have no specific legislation dealing with IPRs is- 
sues over the Internet. Therefore, the classic legislations infrastructure will be 
examined in court when a domain name dispute arises. Note that the two po- 
lices above offer either party and at any stage to take the dispute forward to a 
court of law instead. 

It is undisputable that the domain name is a wording sign. Under the 
Israeli Trade Mark Ordinance (New Version), 5732-1972, defines a “mark” as 
letters, numerals, words, devices or other signs, or combinations thereof, whe- 
ther two-dimensional or three dimensional; a “trademark” means a mark used, 
or intended to be used, by a person in relation to goods he manufactures or 
deals in; “registered trademark” means a trademark registered in the Register 
of Trademarks under the provisions of this Ordinance. It is therefore possible 
for a domain name to benefit from protection that is granted to the right hol- 


130 


ders of signs considered as absolute right: e.g. copyright, trade or service mark 
right, right to a personal or trade name, etc. 

The Jordanian Law of Trademark for the No. 33 for the year 1952 which 
is also effective in Palestine, defines the term “trademark” to include any mark 
used or is intended to be used upon goods or in connection therewith for the 
purpose of indicating that such goods are those of the proprietor of such tra- 
demark by virtue of having manufactured, selected, certified, traded in or of- 
fered them for sale.(Article 2) 


5.2. Unfair Competition Laws 


On the other hand, protection could be searched in unfair competition law. 
Chapter one at the Israeli Unfair Competition (Commercial Torts), Law, 
19/04/1999-5759, describes four types of prohibited actions under as; i 


Passing Off 

1.-(a) A business shall not cause the goods he sells or the servi- 
ces he offers to be mistaken for the goods or services of another 
business or related to another business. 

(b) The use in good faith by a business of his own name, in order 
to sell his goods or offer his services, shall not of itself be regar- 
ded as passing-off. 


False Description 

2.-(a) A business shall not advertise, nor cause to be advertised, 
something that he knows or that he ought to know is untrue with 
respect to his own business, profession, goods or services or 
those of another business (hereinafter: "false description"). 

(b) A person who distributes an advertisement of another person, 
or on behalf of another person, which contains a false descrip- 
tion, or a person who decides to actually effect an advertisement 
containing a false description, shall not be liable under this sec- 
tion unless he knew that the description was a false description, 
or unless the description is, on its face, a false description. 


Unfair Interference 

3. A business shall not unfairly prevent or burden the access of 
customers, employees or agents to the business, goods or servi- 
ces of another business. 

Tortfeasor and Victim 


4. The obligations under this Chapter shall apply to a business 


who performs an act prohibited under this Chapter during the co- 
urse of his business or in relation to it, to another business who 


131 


is harmed or suffers damage as a result of the breach of the ob- 
ligation, during the course of his business or in relation to it. 


The Jordanian Trade secrets and unfair competition law of 2000 No.15 
is also valid in Palestine, it defines unfair competition acts to include any com- 
petition contradictory to the honest practices in the commercial and industrial 
activities and particularly the following: 


1. The activities that may by nature cause confusion with 
entity, products or commercial or industrial activities of 
one of competitors. 

2. Untrue assumptions in practicing trade, whereby cau- 
sing deprivation of trust from one of the competitors’ 
entity, products or industrial or commercial activities. 

3. The data or assumptions which use in commerce may 
mislead public in respect to the product’s nature, me- 
thods of manufacturing, properties, amounts, and ava- 
ilability for use. 

4. Any practice that reduce the product reputation, cause 
confusion in respect to the product general shape or pre- 
sentation, or mislead the public on declaring the pro- 
duct price or the method of counting thereof. 

5. B. Ifthe unfair competition related to a trademark used 
in the kingdom either being registered or not and cau- 
ses public misleading, provisions of paragraph (A) of 
such article shall be applied. 

6. C. The provisions of paragraphs (A) and (B) of this ar- 
ticle shall be applied on the services as necessary. 


5.3. Protection of Titles 


In Israel and Palestine there is no separate law covering the protection of titles 
of publications such as books, journals, films...etc. They are unlikely to qual- 
ify as literary works for copyright purposes. However, titles maybe registerable 
as a trademark if a domain name featuring such a title is being used in the com- 
mercial sense. If a trademark registration is not possible and goodwill is at- 
tached to the name in question, then unfair competition action maybe available 
to restrain deceptive use of the name. 


5.4. Protection of Names 


Despite article 3.9.7 of the PNINA registration policy , the procedure requires 


132 


a registration application to have a certain format and to satisfy registration 
rules including bar on protected domain name as defined by PNINA in its pro- 
tected names database. A broad categorization of these names is Palestinian 
geographic names, offensive and obscene names, religious names, famous 
names and natural (common) names. Israeli and Palestinian laws impose no 
restriction on the registration of domain names featuring the name of for ex- 
ample, cities or villages, or personal names, provided that the name is not a 
registered trademark and provided that the registration and use of the name 
will not be likely to lead to unfair competition or passing off action. 


5.5. Protection of Geographical Indications 


Geographical Indications are protected in various ways in Israel and Palestine. 
The Israeli Geographical Indications (Protection) Law (Consolidation), 5725- 
1965-5725(01/2000) and the Jordanian Law on Geographical Indications No. 
(8) of 2000,which is valid in Palestine. Both laws provide an extensive pro- 
tection to the indication of geographical origin in its various provisions. All 
these provisions seek to prevent inter alia false attributions of geographical 
origin. Accordingly, the use of a domain name featuring a geographical indi- 
cation in a manner likely to mislead Internet users could be vulnerable to at- 
tack. If, for instance, a trader used the domain name www.deadseamud.(co.il) 
or (.co.ps) , to connect a website promoting the sale of mud from geographi- 
cal location other than the Dead Sea, it is likely that the trader in question would 
find himself on the wrong end of breach or the unfair competition/passing off. 


6. Conclusion 


In a medium like the Internet, the protection of domain names to other IPRs is 
still outstanding. The paper provided an overview of the current scheme of 
protection in Israel and Palestine. There is no particular legislation in this re- 
spect;however, the current scheme provides some protection to other IPRs. At 
present, the classical domain name trademark type of disputes is the only type 
that has been addressed before any court in Israel and Palestine. However, other 
IPRs issues are just about to be faced in both jurisdictions. A need to address 
these issues in a new legislation is therefore justified. Furthermore, there sho- 
uld be made greater efforts in harmonising the legislations of the different ju- 
risdictions in this respect. 


133 


Notes 


[1] The management of Internet names and addresses: Intellectual property issues”, final 
report of the WIPO Domain Name process, (April 30, 1999) retrieved 1 November, 2007, 
from http://wipo2.wipo.int 

[2] New generic top-level domain names are constantly been introduced, further details 
can be found on ICANN website retrieved 1“ November, 2007, from 
http://www.icann.org/tlds 

[3] ICANN is the successor to IANA (Internet Assigned Numbers Authority) IANA website 
retrieved 1 November, 2007, www.iana.org 

[4] ICANN website retrieved 1* November, 2007, www.icann.org 

[5] Further information at ISOC-il website retrieved 1% November, 2007, 
http://www. isoc.org.il 

[6] Further information at PNINA website retrieved 1% November, 2007, 
http://www.pnina.ps 

[7] The Rules are available and retrieved 1t November, 2007, from www.isoc.org.il/do- 
mains/il-domain-rules.html 

[8] ISOC-IL registration system utilizes a technical "clocking-in" system which records 
the exact date and time in which an Application is received ("ISOC-IL's Clock") and this 
shall determine which application is 'first-to- apply, first served’. However, the "clocking- 
in" commences only upon receipt of a valid and complete Application by ISOC-IL. (see sec- 
tion 6, of the rules) retrieved 1* November, 2007, www.isoc.org.il/domains/ 
il-domain-rules.html 

[9] Section 7, (the rules) retrieved 1* November, 2007 www.isoc.org.il/domains/il-domain- 
rules.html 

[10] Domain Name Registration Policy at the PNINA retrieved 1* November, 2007 
www.pnina.ps/registration/reg 

[11] Section A, 3, (The Rules) Domain Name retrieved 1* November, 2007, from 
www.isoc.org.il/domains/il-domain-rules. html 

[12] At section 8, Domain Name Registration Policy at the PNINA retrieved 1** November, 
2007, from www.pnina.ps/registration/reg 

[13] At section 1, Domain Name Registration Policy at the PNINA retrieved 1* Novem- 
ber, 2007, from www.pnina.ps/registration/reg 

[14] Umbro International, Inc., v. 3263851 Canada, Inc., and Network Solutions, Inc.,No. 
174388,Circuit Court of Virginia, 1999 WL 117760 (Va. Cir. Ct.) retrieved 1* November, 
2007, from www.be.edu/be_org/avp/law/st_org/iptf/headlines/content/umbroadd.html 
[15] Yee K., ‘location.location.location: a Snapshot of Internet Addresses as Evolving Pro- 
perty' 1997 (1) The Journal of Information, Law and Technolog y (JILT). retrieved 1* No- 
vember, 2007, from http://elj. warwick.ac.uk/jilt/intprop/97_lyee/ 

[16] Pitman Training Limited and PTC Oxford Limited v. Nominet U.K. and Pearson Pro- 
fessional Limited (Pitman Publishing Division), High Court of Justice, 1997 F1984, WIPR, 
1997; retrieved 1* November, 2007, from http://www.nic.uk/news/pitman-judgment.html 
[17] Rose Marie Dorer and Forrms, Inc., v. Brian Arel, 03/09/99, No.98-266-A, 1999 U.S. 
Dist. LEXIS 13558. 

[18] Rules for Allocation of Domain Names under IL retrieved 1* November, 2007, from 
www.isoc.org.il/domains/il-domain-rules.html 


134 


[19] See, DreamWorks LLC v Grantics, Case No. D2000-1269, (Dec 16, 2000) retrieved 
1* November, 2007, from www.wipo.int/amc/en/domains/decisions/html/2000/d2000- 
1269.html 


[20] In Shields v. Zuccarini individually and t/a Cupcake City, 54 U.S.P.Q. 2d 1166, 89 F. 
Supp. 2d 634 (E.D. Pa. 2000), the complainant submits that the Shields case is analogous 
to the facts at hand in that the respondent changed the content of his www sites from com- 
mercial uses to purported “ protest sites” after being served with a complaint by the owner 
of the trademark that he was infringing. The Court found that “the vast majority of Zucca- 
rini's many websites are not political forums but are merely vehicles for him to make money. 
... It strains credulity to believe that he uses 99.9% of his domain names for profit but re- 
serves his Joe Cartoon domains for fair and lawful political speech.” Id. at 640 (emphasis 
added by the complainant in its submission). 


[21] See, The Estate of Tupac Shakur vs. R.J. Barranco, AF-0348a and b (eResolution Octo- 
ber 23, 2000) retrieved 1* November, 2007, from www.disputes.org/decisions/0348.htm 
the respondent had a legitimate interest in the domain name and that bad faith was not pre- 
sent...the fan website was free of charge for users, was not commercial in nature, did not 
misleadingly divert consumers, and did not tarnish the claimant’s mark...” The tribunal 
upheld the use of a domain name for fan-club purposes saying: “The position of the Cla- 
imant...would effectively prohibit any fan club from being established on the Internet if it 
mentioned in the site name an artist’s name, where part or all of that name related to a re- 
gistered mark or even perhaps transgressed claims of common law rights in a name. It 
would also permit persons in the position of this Claimant to unjustly enrich themselves by 
confiscating the work of fans and admirers in establishing a web site supporting their fa- 
vorite artists without any opportunity for compensation.” Also, see Nintendo of America, 
inc .v. Alex Jones Case No. D2000-0998 retrieved 1* November, 2007, from 
www.wipo.int/amc/en/domains/decisions/html/2000/d2000-0998.html 


[22] see, New Kids on the Block v. News America Publ’g, Inc., 971 F.2d 302, 306 (9" Cir, 
1992) 


[23] Inter IKEA Systems B.V. v. JOHN JONES Case No. D2005-0001, retrieved 1* Nov, 
2007, from www.pnina.ps/pscase/IKEA-PS.pdf 


135 


Whodunit ! Assessing Copyright Liability in Cyburbia: 
Positing Solutions to Curb the Menace of Copyrighted 
‘File Sharing’ Culture | 


Akhil Prasad 
IVth Year Student of Law, 
Gujarat National Law University, Gandhinagar, Gujarat, India 
akhil_99@hotmail.com 
Aditi Agarwala 
IVth Year Student of Law, 


Gujarat National Law University, Gandhinagar, Gujarat, India 
aditi_2k2002@yahoo.com 


Abstract. The electronic age has kick started the information 
boom and with an ever increasing pace, it has begun to spread its ca- 
nvas to engulf mankind as its greatest beneficiary and perhaps its most 
susceptible slave. This is evident from the universal phenomenon of co- 
pyrighted file sharing culture promoted by P2P technologies. Indeed, 
the P2P architecture poses a threat to the entertainment and software in- 
dustries which stand on the legislative guarantee of copyright laws. But 
technological advances have not only caused legislative obsolescence 
but have also altered the dynamics of information exchange in the on- 
line environment. The word ‘State’ seems to have lost its meaning so- 
mewhere. Therefore, there is a pressing need on us, as an international 
society to devise alternative solutions and approaches to substantially 
curb the abuse of digital copyrighted works, for copyright laws to have 
any meaning. It is this global concern which gives birth to this paper. 


Key Words: Online Piracy, P2P Software’s, Secondary Infringement Liability, Pri- 
vate Copying, Policy Options 


For economic incentives to work appropriately, property rights must pro- 
tect the rights of capital assets... At present...severe economic damage 
[is being done] to the property rights of owners of copyrights in sound 
recordings and musical compositions. ..under present and emerging con- 
ditions, the industry simply has no out. ..unless something meaningful is 
done to respond to the ...problem, the industry itself is at risk. 

Alan Greenspan (1983) [1] 


The wise words of the man who went to become the Chairman of Federal Re- 
serve of the United States is germane even today, when the century has turned 
a new leaf. Analog piracy is passé and digital piracy has become a global con- 
cern. The borderless Internet, which originated in the United States is now a 
medium to which every man in the world can enjoy a green card and which can 


137 





be accessed from almost any part of the planet where civilization exists. 

From the times of Gutenberg’s Printing Press to the modern day Inter- 
net technologies, a lot of water has flown beneath the bridges. The world has 
witnessed a progressive transition from the physical tangible to the ephemeral. 
We are leaving the industrial world of the past 250 years and entering the new 
networked world of cyberspace - the global interactive multimedia information 
and communications network. (Lin, 2001, p. 1) We all want to be a part of this 
digital information society and enjoy easy, quick and cheap access to varied 
genres of entertainment media such as mp3 music, full length DVD movies, so- 
ftware, games etc. at the click of the mouse button. Indeed, the pervasive in- 
formation gateway has revolutionized the economics of accessing information 
and bears an influence on every facet of the human specie be it trade and com- 
merce, business and industry, stock markets, laws and legislations, social and 
political environments, personal lives and personal relations of human persons 
who are mere ‘units’ in the lawless waves of cyberspace. 

The so-called copyright industries welcomed and rejoiced the dot com 
boom, but soon realized and faced the technological blow, the wounds of 
which haven’t been healed unto this date. Indeed, much ‘meaningful’ work has 
been done on the legal and technological front since Greenspan raised his con- 
cern in 1983, yet the above concern seems crystallized in time and there is a 
pressing need to revisit the present, anticipate the future and posit legal and 
technological solutions for the approaching tomorrow keeping in mind the pre- 
vailing social, economic, political realities, fundamental democratic principles 
and technological possibilities and alternatives. 


1. Online Piracy — The Beauty of this Beast 


Intellectual Property Rights, principally copyright laws protect the immaterial 
property in the intangible cyberspace. However, infringement in the online 
environment is exacerbated, not only by the speed at which copyrighted data 
can be transferred across political boundaries of Nation - States but on a much 
basic level, where software, driven by the mens rea of internet pirates is utili- 
zed to duplicate the digital file into so many copies, sufficient enough to im- 
pair the market of the creator or the owner of the copyrights therein. 
However, one must not forget that there is a line of distinction between 
‘owned knowledge’ and ‘shared knowledge’ and what IP laws protect is the 
former which submerges into the latter after the definite period of protection 
expires. Though the Information and Communication Technologies (ICT’s) 
has universalized the concept of communication and provided a common plat- 
form for mankind to carry out business, it is equally true that the very same 
technology is vulnerable to cyber pirates and can be exploited in the most per- 


138 


verse manner. Such is the beauty of this beast as well as its bane. Indeed, it has 
rightly been said that technology is a double edged sword and the ICT’s are no 
exception to that. Truly, ‘technology is copyright industry’s best friend and 
worst enemy.’ (Geetesh, 2007, p. 1) 


1.1 ‘Share’ but with ‘Care’ 


The digital world may be a need, an addiction, a facilitator, a tool which can 
be used from communication to creativity, for accessing news to penning down 
views (on online bulletin boards), to transact without ‘being there’ and cele- 
brating the online culture to ‘share’. 

It is this ‘celebration’ which is under the legal scanner and has to be exa- 
mined through the lens of copyright (as a discipline of law). This paper ad- 
dresses a very delicate issue concerning P2P Networks which has proliferated 
the culture to ‘share’ which has naturally had an adverse impact on copyright 
industries. ‘Delicate’ because the fact is that almost all having access to the in- 
ternet and personal computers use it almost indiscriminately and most of us 
would prefer to use it ad infinitum and unfettered including authors, like you 
and us who write pages of literature advocating the ban of such software’s from 
the standpoint of legal sanctity. Courts ban it, grant injunctive relief against it, 
award damages yet, it resurfaces itself only under different names and once 
installed, the network grows uncontrolled by the hour. Therefore, mere criti- 
cism (though constructive) would not suffice but an attempt has to be made by 
the academic community to offer alternative approaches, policy options and 
realistic solutions to curtail this social ‘evil’. This paper attempts to do that pre- 
cisely. 

Such issues arise in the network society because there is no cyber police 
or e-government. It is like space, where monitoring (to protect the work aga- 
inst the abuse of infringement) is a technological myth. The artistic creations 
of creative individuals were never immune from piracy but piracy with respect 
to P2P Networks has the effect which can be compared to the impact of mali- 
gnant cancer on the body of the patient. Indeed, it has the potential to destroy 
the prospects of securing fair returns on labor, just and well deserved monetary 
rewards, basically defeating the stimulus which motivated the creation or from 
a jurisprudential perspective, defeating the goals of copyright law which in the 
preambular dictates of Queen Anne’s statute [2] have been beautifully descri- 
bed as ‘An Act for encouragement of learning’. Your favorite music or movie 
is downloadable at the click of the mouse. It is not the question of money, but 
only a matter of time. Such are the excesses of ‘access’ in the online environ- 
ment. Copyright seems meaningless. 


139 


1.2 The Age of P2P giants — Ever heard of ‘Free’ Copyrighted Digital File? 


If it is free, it cannot be copyrighted. If it is copyrighted, it cannot be free. Bu- 
siness is not equivalent to charity but P2P swapping giants seem to combine bu- 
siness with charity by sharing copyrighted works for free and making big bucks 
behind the curtain under the guise of ‘dual use technologies’ which has soun- 
ded the death-knell of digital copyright industry. We are all witness to the fact 
that the information and communications technologies coupled with state of the 
art software applications has completely altered the dynamics of industries who 
have a ‘business stake’ in copyright laws [3] and whose operations are tan- 
gential to technological developments. Online piracy in copyrighted works is 
rampant and the digital threat to copyright has assumed incalculable propor- 
tions with the advent of P2P Softwares which can be downloaded for free. The 
ease and speed with which a work can be replicated, once it is rocketed into the 
dot-com stratosphere compounds the problem even further. And thereafter, 
such unauthorized data is made available to the world through the file sharing 
network. In other words, access to a P2P service can be best described as a 
passport to piracy. Indeed, it is a ‘theft’ of intellectual property. But the moot 
question is - Who is liable and to what extent? Is it the liability of the person 
who in an unauthorized manner downloaded the copyrighted content without 
paying the legitimate price or is it the P2P Software creator who is to be cau- 
ght by the long arm of the law or is it the Internet Service Provider who has 
abetted the offence? Whodunit? 

As copyright is technologically challenged, the courts become the arbi- 
ters of how copyright will be interpreted. (Halbert, 1999, p.50) They therefore 
shoulder a great responsibility to protect digital copyrights even where the le- 
gislature is yet to frame rules to respond to technological developments which 
lack legal sensitivity. 


2. Species of Secondary Infringement 


Unlike the Patent Act of the U.S. which makes those who actively induce in- 
fringement of a patent [4], indirectly liable as infringers, copyright law does not 
expressly render anyone liable for infringement committed by another. Howe- 
ver, the Courts cannot turn a deaf ear where technology poses a threat and law 
has not developed in commensurate terms to grapple with it. As a result, the ju- 
risprudential moorings of copyright law have produced doctrines of secondary 
liability grounded in common law principles. [5] 

It is largely agreed that copyright infringement can be classified into two 
broad heads — direct and indirect/ secondary/ third party infringement. Inter- 
mediaries such as ISP’s, P2P Networks and Online Bulletin Boards are liable 


140 


indirectly and the direct infringer is the ‘netizen’ who downloads the copyri- 
ghted content through the technological tools and infrastructure provided by the 
former few, thereby violating at least one of the exclusive rights granted by 
the copyright statute. 

The P2P network provider is generally sued, under the doctrines of se- 
condary infringement, for it is difficult to sue individual infringers as it is not 
worth the ‘time’ and ‘money’ to pursue a multitude of individual infringers 
who download copyrighted content without any sense of obligation to pay. 
When a widely shared service or product is used to commit infringement, it 
may be impossible to enforce rights in the protected work effectively against 
all direct infringers, the only practical alternative being to go against the di- 
stributor of the copying device for secondary liability on a theory of contribu- 
tory or vicarious infringement. [6] More so, because internet offers anonymity 
and infringers are made liable by physical courts which are located across po- 
litical boundaries. The worst part is that it is considered ‘natural’ to share as the 
large part of the world wide web is free. Netizens are inclined to believe that 
internet is public domain. The wise words of Justice Peterson [7] that ‘what is 
worth copying in worth protecting’ has little significance in the online envi- 
ronment where plasticity of digital media seduce netizens to believe, in the po- 
etic words of Tagore that ‘knowledge is free’. Strictly speaking, ‘knowledge 
is free’ indeed as it is difficult to commodify and fix a price tag on this noble 
intangible but in this age of ‘intellectual property’ what is taxed is the ‘access’ 
to this knowledge ‘good’. 

‘Good fences make good neighbors’, so said Frost in ‘Mending Wall.’ 
(1914) But cyburbia is borderless therefore a question of fencing copyrighted 
content against technological breach and abuse of piracy cannot be solved 
easily. Moreover, the free proprietary software provided by the P2P giants is ta- 
king piracy to unprecedented levels. 


2.1 Revisiting the Sony Betamax decision 


Copyright confers a bundle of exclusive rights upon the creator who is the first 
owner of copyrighted work. It is essentially a property right which can be trans- 
ferred, principally by way of license or an assignment. A copyright is said to 
be infringed when any of the exclusive rights conferred upon the copyright 
holder is violated. That way, copyright is not only a positive right granting the 
exclusive right to the creator to commercially exploit the work, but like the na- 
ture of the right in law of tort, it is essentially a negative right to prevent all 
others from enjoying the benefits arising from the use of such ‘intellectual pro- 
perty’. 


It is a settled law that [t]here can be no contributory infringement by a 


141 


defendant without direct infringement by another. [8] A good majority of such 
decisions have been delivered by the U.S. Courts [9], which has perhaps dealt - 
the maximum number of suits in respect of P2P technologies - from Napster to 
Aimster (later renamed “Madster”) to Grokster and so forth, all have been il- 
legal file sharing copyright disasters. 

It was Gershwin Publishing Corp. v. Columbia Artists Management, Inc. 
[10], where the Second Circuit Court noted that “one who, with knowledge of 
the infringing activity, induces, causes or materially contributes to the infrin- 
ging conduct of another, may be held liable as a ‘contributory’ infringer.” The 
intention of inducing or encouraging direct infringement was the ingredient to 
be satisfied in order to succeed in a claim of contributory infringement. The 
same Court in respect of vicarious liability succinctly observed that, “one may 
be vicariously liable if he has the right and ability to supervise the infringing 
activity and also has a direct financial interest in such activities.” Profiting 
from direct infringement while declining to exercise a right to stop or limit it 
was held to be a way of ascertaining vicarious liability. [11] 

The controversy as to whether the use of VTR’s were “fair use” or “pro- 
ductive use” and whether for the market sale of the same, could Sony could be 
declared liable for contributory infringement was settled by the U.S. Supreme 
Court in favor of Sony in its landmark decision delivered more than two de- 
cades ago. The Apex Court, arrived at the conclusion that Betamax is capable 
of “substantial non infringing uses” and the likelihood of market harm is mi- 
nimal, in effect holding that Sony’ s sale of Betamax VTR does not make them 
liable as contributory infringers considering that the principal use of this devise 
for “time shifting”, and thus ‘fair’. Though the District Court assumed that 
Sony had constructive knowledge of the probability that the Betamax machine 
would be used to record copyrighted programs, notwithstanding, it found that 
Sony merely sold a “product capable of a variety of uses, some of them alle- 
gedly infringing.” [12] 

The Sony Court observed that contributory infringement doctrine is gro- 
unded on the recognition that adequate protection of a monopoly may require 
the Courts to look beyond actual duplication of a device or publication to the 
products or activities that make such duplication possible. Holding VCR’s as 
capable of substantial non infringing uses, the Court held that sale of copying 
equipment does not constitute contributory infringement if the product is wi- 
dely used for legitimate, unobjectionable purposes. Expounding on the staple 
article of commerce doctrine, the Court observed [13] that the doctrine must 
strike a balance between a copyright holder's legitimate demand for effective- 
not merely symbolic-protection of the statutory monopoly, and the rights of 
others freely to engage in substantially unrelated areas of commerce. The Su- 


142 


preme Court made clear in the Sony decision that the producer of a product that 
has substantial non infringing uses is not a contributory infringer merely be- 
cause some of the uses actually made of the product (...) are infringing. [14] 
We know today that VCR did not harm the motion picture industry but a con- 
trario helped to enhance the sales of video cassettes. 

Justice Stevens in this one of a kind case concluded Sony’s Betamax 
fate by pointing out that new technology has created a lacuna in the statute, 
observing that “it is not the Court’s job to apply laws that have not yet been 
written”. However the Sony case imported the “staple article of commerce” of 
Patent law and transplanted it into copyright. 

The contours of indirect liability lack shape and at least one U.S. Di- 
strict Court conceded that “the lines between direct infringement, contributory 
infringement, and vicarious liability are not clearly drawn....” [15] which the 
Supreme Court has reaffirmed. [16] Indeed, considerations of causation, know- 
ledge, and intent are the pillars on which these doctrines of indirect liability dif- 
fer. Having knowledge and the ability to act to prevent infringement but 
willfully turning a blind eye or a deaf ear will not help in escaping liability 
under the tort of contributory infringement. 


2.2 The absurdity of the so-called “dual use” technologies in File 
Swapping Networks 


Dual use technologies refer to all such technologies which are capable of both 
infringing and substantial non infringing uses. Typewriters, Photocopying ma- 
chines and even VCR’s can be considered as “dual use’ technologies for the 
‘technology’ itself suffers from certain limitations that it is not easy to apply it 
for infringing purposes on a mass scale by the large majority without incurring 
costs in money, time and hardware, sufficient enough so as to deter breach of 
copyright laws, however P2P softwares on the digital superhighway coupled 
with the standard functions of ‘cut-copy-paste’ in Windows make them capa- 
ble not of, “both infringing and substantial non infringing uses”, but much the 
other way round, that the technology is appropriated principally to substantial 
infringing uses and used in infringing ways, and the non infringing use beco- 
mes ‘de minimis’ in copyright parlance. ‘Sharing’ is equivalent to copying and 
constitutes the most conspicuous use of the network. The piracy only escala- 
tes, thus growing the consumer base which bears a direct adverse impact on 
sales [17] and also empowers ‘them’ to become a worldwide distributor of ‘sto- 
len’ files thus implicating the technological abuse of the law. 

The P2P software providers are only interested to take advantage owing 
to the fact that statutory response to technological developments is slow. The 
fine thread which runs common to all such anonymous P2P distribution sys- 


143 


tems is the notoriety of how to evade the copyright roadblocks rather than de- 
vising technological responses to meet legal challenges. They would prefer to 
reap as much benefits as they could possibly, before they are dragged to the Co- 
urts, instead of developing technologies to prevent infringement of copyrigh- 
ted works. They take the ‘defense’ of “space-shifting” [18] or try to fit within 
the parameters of the Sony judgment by making illusory attempts, like provi- 
ding encryption technologies to encrypt their unlawful distribution of copyri- 
ghted materials [19] in the hope that it will click just like Sony’s defense of 
“time shifting” [20], attempt to resort to affirmative defenses of fair use [21] 
and substantial non-infringing use [22], (the latter defense of which stems from 
the staple article of commerce doctrine [23]), challenge [24] the injunctive re- 
lief on the first amendment free speech values [25] of the Constitution when it 
will little help; considering, that the judicial development of this four factor 
test of ‘fair use’, would under no circumstance permit wholesale copying of 
works [26], considering that ‘they’ themselves possess the knowledge that ‘the 
most credible explanation for the exponential growth of traffic to the website 
is the vast array of free MP3 files offered by other users - not the ability of 
each individual to space-shift music she already owns’ [27] and knowing fully 
well that there is little truth in the claim that majority of P2P users fully re- 
spect copyright laws. [28] 

Indeed, if technology is fettered through technological controls and ‘fil- 
tration’ tools which limit and/ or substantially reduce online infringement over 
the network, such that the non infringing purposes seem plausible in the che- 
quered history of such technologies, it may indeed be conferred the “dual use” 
status, for being capable of substantial non infringing use. 

However, the Courts themselves are witness to the fact that P2P tech- 
nologies have encouraged infringement by not only failing to act upon the 
knowledge of infringement, and that instead of developing filtering tools [29], 
the file sharing giants have actively induced customers to commit infringe- 
ment [30], thus expanding its customer base which in turn shall further adver- 
tising opportunities [31], the single most important source for generating 
revenue. 

Placing reliance on the staple article of commerce doctrine, Napster, the 
first P2P service to be sued, defended by claming that it only aims for “space- 
shifting” of digital data which constitutes ‘fair use’ and thus precludes liability 
for contributory or vicarious infringement by virtue of the application of the do- 
ctrine, however, the Court was unconvinced by this ‘stunt’ of distinguishing 
Sony, and was of the opinion that whereas the VCR manufacturer did not 
extend past manufacturing and selling the VCRs, Napster maintain[ed] and su- 
pervise[d] an integrated system that users must access to upload or download 


144 


files. [32] Therefore, Napster unlike Sony continued to exercise control over 
the device's use and maintained all files on a central server whose main purpose 
was to keep an index of all the Napster users currently online and connect them 
to each other. Though the server itself did not contain any of the MP3 files, it 
bridged the connection with another computer which hosted the requested file. 
This way Napster had reason to know of the third party's direct infringement 
and directly facilitated the same even though the infringing file never crossed 
Napster’s server. 

Moreover, plaintiff also demonstrated that [Napster] had actual notice of 
direct infringement because the Recording Industry Association of America 
(RIAA) informed it of more than 12,000 infringing files. [33] Placing reliance 
on Gershwin [34], the Napster Court held that law does not require actual 
knowledge of specific acts of infringement and rejected defendant's argument 
that titles in the Napster directory cannot be used to distinguish infringing from 
non-infringing files and that defendant cannot know about infringement by any 
particular user of any particular musical recording or composition. [35] 

The Court concluded that Napster, Inc. plays an active role in facilitating 
file-sharing and can be labeled as contributory infringers. Accordingly, it was 
held liable under this count. As to the defendant’s claim on vicarious copyri- 
ght infringement, the Court guided by the ingredients spelled out in the Gre- 
shwin judgment [36] coupled with the evidence which suggested that defendant 
possesses the ability to supervise Napster users including methods to block co- 
pyright infringers, the first test of vicarious infringement, that defendant has the 
right and ability to supervise the infringing activity stood satisfied. However, 
Napster did not earn revenue from the distribution of the software which was 
free. Yet, it was held vicariously liable, as plaintiff established that there is a 
reasonable likelihood that Napster, Inc. has a direct financial interest in the in- 
fringing activity and economic incentives for tolerating unlawful behavior [37] 
, including its plans to “monetize” its user base and derive revenues. Injunc- 
tive relief was granted in the mid of 2000 and Napster met its end in 2002 [38], 
though today it has resurfaced and operates but under the legal banner. 


2.3 Filling the void of Napster — The Legacy continues 


Next in queue was Aimster, which was not a pure P2P service, nevertheless, 
served the same purpose through a ‘new idea’ of technological misappropria- 
tion. The modus operandi of Aimster was to enable file swapping when both 
the users are online and connected in a chat room enabled by an instant-mes- 
saging service. Unlike Napster, it did not maintain its own server and copies 
of the songs were exchanged between the users without any involvement of 
Aimster, except that it provided the proprietary software that could be down- 


145 


loaded free of charge from its Web site. Aimster tried to play a cat & mouse 
game by claiming that it lacked the knowledge of infringing uses as the en- 
cryption feature of Aimster's service prevented Deep, the proprietor from know- 
ing what songs were being copied by the users of his system. 

The Court held that voluntarily turning a blind eye to infringement will 
not suffice and placed reliance on two cases to support its understanding where 
it was observed that ‘One who, knowing or strongly suspecting that he is in- 
volved in shady dealings, takes steps to make sure that he does not acquire full 
or exact knowledge of the nature and extent of those dealings is held to have 
a criminal intent’ [39] because ‘a deliberate effort to avoid guilty knowledge 
is all that the law requires to establish a guilty state of mind.’ [40] Thus, all 
roads by Aimster to escape liability were blocked by the Court which made it 
clear that neither technology nor precedent would provide a haven for pro- 
moting an illegal act. The Court also took the view that by eliminating the en- 
cryption feature (which was a part of the Aimster software and encrypted the 
file when the same was transferred from the sender to the recipient) and mon- 
itoring the use being made of its system, Aimster like Sony could have limited 
the amount of infringement. [41] Yet, Aimster was more interested in finding 
technical loopholes in the Sony verdict instead of introspecting and correcting 
the mess it had created. The Court of Appeals accordingly upheld the District 
Court’s order of granting preliminary injunction. 


2.4 Second generation P2P Softwares — Aimster gone but 
Grokster et al. is on 


The most successful alternative, Gnutella, was developed by Justin Frankel, a 
programmer who worked for one of the very companies suing Napster for co- 
pyright infringement. (King, 2002) This technology was employed by Stre- 
amcast, the makers of Morpheus whereas two other P2P services - Grokster and 
Kazaa relied on the FastTrack technology. To exploit the quandaries of the Na- 
pster Court and surpass the legal technicalities of theories imposing secondary 
liability, the technology promoted file sharing culture but unlike Napster, it 
did not provide a central server and ‘peer’ computers directly communicated 
with each other for file sharing purposes. Owing to the decentralized architec- 
ture of their software, the P2P Network succeeded at convincing the District 
Court and the Appellate Court, that they did not ‘monitor’ or ‘control’ the soft- 
ware's use thus proving their deceptive innocence. Notwithstanding, the Apex 
Court was discerning to observe the designs of these ‘experienced’ software 
providers and stopped them dead in their tracks by holding that ‘one who dis- 
tributes a device with the object of promoting its use to infringe copyright, as 
shown. by clear expression or other affirmative steps taken to foster infringe- 


146 


ment, is liable for the resulting acts of infringement by third parties.’ [42] The 
two providers promoted infringement through illegal acts of advertising an in- 
fringing use or instructing how to engage in an infringing use. In so many 
words, the Court held the file sharing software provider was liable under the 
inducement theory of contributory infringement. 

On the other side of the Pacific, Kazaa, the Internet file-sharing system 
met a similar fate where the Australian Court [43] restrained Kazaa to do any 
of the infringing acts, in relation to any sound recording without the license of 
the copyright owner. The Court observed that Kazaa has been designed to en- 
courage copyright infringement on a mass scale and that the company was 
aware that the major use of the Kazaa system was the transmission of copyri- 
ght material. 


2.5 Post Grokster & Kazaa - The Saga continues 


Subsequent to RIAA’s victory in ‘legally’ banning Grokster and Streamcast 
P2P services in mid 2005, it sent cease and desist letters to such “similarly si- 
tuated” seven P2P companies demanding that they halt their "practice of en- 
couraging users to illegally distribute copyrighted material". (Kawamoto, 2005) 
Some have had their lessons whereas others have learnt from the judicial blow 
to their ‘peer’ P2P’s but some still continue to take RIAA head on. Kazaa and 
Napster have now become legal. BearShare, eDonkey, and WinMX, all ceased 
operations as a result of the RIAA letter, however, LimeWire's operations con- 
tinued. (Mennecke, 2004) As a result, Limewire faces a lawsuit by RIAA under 
‘secondary liability heads of contributory copyright infringement and vicarious 
copyright infringement. 

Most of the P2P business giants have the power to prevent infringement 
of copyright but choose not to for their popularity and revenue generating ca- 
pacity increases by the every next user which succumbs to the temptation of 
P2P file swapping systems by subscribing to their free service. There is eno- 
ugh evidence to infer that the P2P giants are by no standard “innocent.” Shar- 
man’s Kazaa promoted its Version 3 by advertising on its website, ‘Having 
Kazaa is 100% legal’. Grokster and Streamcast had also displayed similar ‘tra- 


> 


its’. 
3. Pulling off the plug! Its time to catch the small fish 
There are millions of users of P2P software’s across the globe. Most of us, sit- 


ting in the comfort zones of our homes, justify in promoting this illegal busi- 
ness on the lame excuse that “the world is doing it”, however if we continue 


147 


to live in such an ivory tower, we may end up shelling a fortune from our po- 
cket for each file we download illegally. The RIAA and the Recording com- 
panies have started to sue individual infringers, left and right and have achieved 
moderate success. Unlike the P2P software companies, the users are directly 
liable for they directly violate the ‘exclusive rights’. It is not necessary that the 
user must profit in monetary terms. The very fact that his act shall reduce mar- 
ket sales or deprive the copyright holder from prospective revenue is an ille- 
gality enough to convict him for copyright wrongs. 

Recently, in October 2007, Jammie Thomas has been pronounced guilty 
by a U.S. Court in America’s first ever jury trial for "making available" 24 
songs for download. [44] In another case instituted by the RIAA [45], the U.S. 
District Court in August 2007 held an individual infringer liable for making 
available 54 identified sound recordings on Kazaa P2P server for “peer down- 
load.” The very same Media Sentry, the cyber cop which had assisted to burst 
the bubble in the Kazaa case, played a similar role is this case as well. 

The principles which aid in ascertaining liability for copyright infringe- 
ment on the world wide web have been propounded in a catena of judicial de- 
cisions, chief among them have been dealt in this section. It was the Hotaling 
[46] case which held that ‘the owner of a collection of works who makes them 
available to the public may be deemed to have distributed copies of the works’. 
The Court also observed that in order to establish “distribution” of a copy- 
righted work, a party must show that an unlawful copy was disseminated “to 
the public.” “Distribution” of copyrighted works is the heart of P2P business 
and “distribution” in copyright parlance need not involve any physical trans- 
fer. [47] The more number of users, the higher amount of revenue generation 
and greater number of copyrighted digital files ‘traded’ for free. In fact, the 
District Court [48] in the Napster case noted that Napster itself ‘pretty much’ 
acknowledge[s] that the user’s activity of downloading and uploading ‘free 
copyrighted digital files’ constitutes infringement. 

This reflects that when the law comes to ascertain responsibility for the 
alleged wrongs, it is natural for those, who are on the wrong side of the law to 
“pass the buck”. 

Where the plaintiff was sued for the tort of direct infringement, she tried 
to limit her liability by arguing that the alleged infringement would not have 
been possible without the use of the P2P software and therefore the creator of 
the software must be made a necessary and indispensable party to the suit 
which was turned down by the Court. [49] The evasive ‘stunt’ did not help. 

Uploading files to the search index or in the ‘shared folder’ violates the 
exclusive right of distribution conferred upon the copyright holders whereas 
downloading files constitute the very basic copy-right of the holder - the right 


148 


of reproduction or making copies. Where the individual infringer attempted to 
shield herself by contending that it an abuse of the legal process to organize a 
large-scale legal assault on small-scale copyright infringers, the Court nega- 
tived the same holding it necessary to bring would-be infringers in compliance 
with the law. [50] The defense that P2P software [Kazaa] has an automatic up- 
load feature which causes any user to unknowingly distribute computer files 
over the internet [51] also lacks merit since any prudent ‘peer’ user with basic 
knowledge of the P2P architecture would know that one has to copy-paste the 
externally obtained file in “my shared folder” to share it with the world. More- 
over, lack of intent to infringe [52] or even where the defendant believes in 
good faith that he is not infringing a copyright [53] does not excuse legal lia- 
bility under the scanner of copyright jurisprudence. Innocent infringement can 
at the maximum - limit liability, but cannot exonerate the accused as if no 
wrong had been ever committed. In a capsule, the moral of the story for indi- 
vidual clients is that it is better to be safe than sorry by avoiding participation 
in infringing activities. The law will catch up, it is only a matter of time. 


4. Do we need to tighten the belt? — Policy Options & Alter- 
native Approaches 


It has been said that: 


Men make laws, laws govern men 
If men grow flaws, shouldn’t laws change then? 


Copyright legislations have been in place much before the online sharing cul- 
ture started but that has served little ‘deterrence value’, much less than deter- 
ring a prospective purchaser to exercise his free download option than making 
a purchase decision. Thus, the economics of deterrence suggests alternative 
realistic approaches to turn things around. They may be tersely stated under the 
following heads. 


4.1 Social Awareness 


There is a compelling need to spread awareness about copyright laws, not as a 
tool of deterrence but in the context of social development. Times have gone 
where Courts pronounced that there are no property rights in information.[54] 
It is incumbent on the Government to address and educate the masses by using 
its various forums of communication including print media and information 
broadcasting. More than anything else, endeavor has to be made to foster re- 
spect for copyrighted works. Deterrence through laws is only a piecemeal at- 


149 


tempt. The online copy culture is much deep rooted and pervasive. 

The information society has to be made aware of the concept that there 
is something known as an ‘intellectual property’ theft against the generally un- 
derstood concept that ‘theft’ is a legal wrong only in respect of a tangible ob- 
ject. The legal maxim that ‘ignorance of law is no excuse’ looks good more on 
paper than in actuality. That should not be an excuse for the Government to 
sleep over its duties. Not only there is ‘ignorance of law’ in respect of intel- 
lectual property in the electronic age but more importantly - the sense of 
‘wrong’ in committing, what is considered as ‘electronic theft’ is missing. Pe- 
ople have not been sensitized and it is for such harsh realities that ‘action’ is 
more important than just ‘reaction’. For such reasons, the authors are of the 
view that the Government has a big role to play in the face of ensuring social 
justice. Affected industries such as the recording industry have rampaged on 
anti-piracy campaigns to protect commercial interests but the Governments 
have to act pro bono publico to encourage the genius of tomorrow, to ignite the 
creative potential of an artist, to ensure just rewards for labor and at the helm 
of all ‘to promote the progress of science and useful arts’, even if it involves 
protecting the interests of rich industries. 


4.2 Legal response to technological advances 


Law has to respond to technology. Since technology progresses exponentially, 
it necessitates a commensurate response by the legislator to act in order to con- 
trol the excesses of the latter by human beings. U.S. is known for its techno- 
logical might and it is apposite to study the developments of law to reign the 
abuse of technology. For instance, the legal response to fill the lacuna in copy- 
right law and protect the work in the digital environment can be observed sub- 
sequent to the LaMacchia case where LaMacchia, a twenty-one year old 
student at the Massachusetts Institute of Technology (MIT) set up an electronic 
bulletin board and had made available, copyrighted software applications and 
computer games over the internet, however he was acquitted of charges of 
copyright violations because he did not ‘sell’ the software that he had pirated 
which led to the enactment of No Electronic Theft Act (NET Act) in 1997, 
which criminalizes the reproduction or distribution of copyrighted products 
(even) without any financial gain, an offence. 

The U.S. Govt. for instance has enacted the Audio Home Recording Act, 
1992 (AHRA) to combat the problem of digital audio private copying. The Act 
combine[s] a royalty payment system on digital audio recording devises and 
media for the benefit of copyright owners with the obligation to incorporate a 
technical control mechanism to prevent unauthorized serial copying of copy- 


150 


righted works in digital audio recording and interface devises. (Davies, 2002, 
p.89) 

However, the significance of AHRA in the digital environment is getting 
diluted for it only applies to “digital audio recording devices” [55] (whose pri- 
mary purpose is to make a digital audio copied recording for private use) and 
following the observation made in the Diamond Rio case [56], computer ‘hard 
drive’ are exempt from this provision, for their primary purpose is not to record 
digital audio, neither the statutory language intends to include it within the fold 
of AHRA. (Moser, 2001, p.62) However, with the enactment of the Digital 
Millennium Copyright Act in 1998, the United States has made a progressive 
leap to protect copyright in commodities of e-commerce as the Act makes it il- 
legal to circumvent “effective technological measures” protecting a copy- 
righted work. 

Not only is there a prohibition against circumvention of access-control 
technology but also prevents unauthorized copying of the work, once the ac- 
cess has been lawfully obtained. The United Kingdom too, has through S. 296 
of the Copyright, Designs and Patents Act 1988 classified circumvention of 
copy-protection technology as an offence for the purpose of infringement. 
Thus, there is a need to enact and/ or update laws to protect copyright in the in- 
ternet age. 


4.3 Public Interest exemptions — Do we have a case? 


Like “time shifting” was to Sony, could “space shifting” could be to P2P Net- 
works? This defense was taken up by Napster, where the technology could be 
used to convert a CD which the consumer already owns and transferring the 
MP3 version of it through the software, say from home to office. But the Nap- 
ster Court rejected this defense is not enough ‘attraction’ for its user base con- 
sidering the evidence on record that the software was mostly used for infringing 
purposes and such a use was ‘de minimis’, neither substantial enough to pre- 
clude liability under the staple article of commerce doctrine. 

Though the "fair use" defense recognizes that rigid application of the 
copyright statute would at times hinder the purpose of the copyright laws to 
promote original and creative works for the benefit of society [57], yet it is in- 
applicable in the present situation for it is evident that the ‘socially harmful’ use 
in permitting the software would outweigh its ‘socially beneficial’ use, there- 
fore it is only in public interest that the red signal is shown unless there is a 
technological response to solve this legal quandary. - 


151 


4.4 Technological copy controls 


The answer to the machine is in the machine said Charles Clark. Tia Hall writes 
that ‘A few of the "Big Five" major music labels are currently experimenting 
with anti-piracy technologies designed to combat the on-line file sharing of 
their products through peer-to-peer networks.’ (2002) The article reveals that 
now such copy control technologies exist which can prevent consumers from 
listening to CDs on any type of CD-ROM or DVD player or permit listeners 
to play copy-protected CDs on not more than a single PC or to prevent con- 
sumers from reformatting songs into MP3 files and burning copies, or making 
them available on file-sharing systems. The idea is to prevent the ordinary 
buyer from indulging into acts of piracy. 

New technologfies], called “digital ‘watermarking’ ” and “digital fin- 
gerprint[ing],” can encode within the file, information about the author and the 
copyright scope and date, which “fingerprints” can help to expose infringers. 
[58] There are companies such as the New York based MediaSentry which pro- 
vides online anti-piracy services. The technology in the words of Vice Presi- 
dent Tom Mizzone ‘tracks many popular distribution mediums including P2P 
networks ... using sophisticated scanning and detection software, to locate files 
that are suspected of infringing the rights of copyright owners’. [59] The soft- 
ware obtains the IP address and screen name of each user, and downloads a 
selection of files offered by each user which can then be reported to copyright 
owners for taking necessary action. 


4.5 Seller ‘beware’ 


In the same vein, it is contended that entertainment and software industries 
must avoid to radically ‘overcharge’ the consumer which will go a long way to 
discourage piracy. Corporate interests are important but software industries 
and entertainment houses ought not exercise unbridled sovereignty over the 
dot com network. In the words of Gordon, ‘a work distributed in expensive 
form is less socially valuable than the same work distributed to not only five, 
but also to a thousand more in an inexpensive edition.’ (Gordon, 2003, p.xvii) 
Moser Baer CD’s of Bollywood movies are being offered for sale at prices 
below that of the pirated markets in India. As a result, consumer has shifted his 
loyalties to be on the safe side of the law than attract unwanted attention from 
it. Apple’s online music service provider iTunes, is a digital music service 
where one can download almost any song from a major music company, for 
only 99 cents. (Wadhwa, 2007, p.18) There are many others such as Dell and 
BuyMusic who have setup online music services on a similar business model. 


152 


4.6 E-Governance - Thinking Futuristic 


Indeed in the hustle bustle of this information superhighway, speed is the name 
of the game. There are no speed breakers and no traffic policemen on this un- 
regulated highway which bears an ‘international character’. Private copying 
could have been regarded as de minimis use only in the analog world. ‘Drivers’ 
akin to natural persons carry ‘packets of information’ but it may not be easy to 
differentiate the law abiding ‘driver’ from the ‘driver’ who has stolen such 
‘packets of information’ for this technology offers anonymity and such drivers 
with the stolen ‘packets of information’ may just get away with it, if they know 
the right ‘exits’ on this global superhighway. [60] Cyber patrolling is not an 
easy chase. 

Technological revolutions in mass production (especially the digitiza- 
tion of literary and musical works), coupled with the phenomenal growth of the 
consuming public, renders national law on illicit copying useless. (Griffiths & 
Suthersanen (eds.), 2005, p.110) When Pirate Bay (considered as the world's 
largest BitTorrent tracker, a P2P technology which allows users to share torrent 
files for free) was closed in Sweden in 2006 following a raid by the Swedish 
Police, it was only a matter of few days for it to resurface from a ‘foreign land’, 
which in this case was Netherlands. Likewise, it was not easy to catch the once 
Amsterdam based Kazaa Network which in the words of Toddy had its servers 
in Denmark, software in Estonia, domain registered Down Under, corporation 
on a tiny island in South Pacific and 60 million users across the globe. (2003) 

A serious international deliberation and co-operation is required to ‘fix’ 
the situation. What Shawn Fanning started as a fascination in 1999 has become 
big business for anyone who can manage to device a file sharing software and 
trigger a nuclear piracy of copyrighted creations. There is a pressing need to fil- 
ter the wheat from the chaff by permitting only legal P2P services who take re- 
alistic technological measures to curb piracy on their networks as against those 
which have been devised solely with the purpose of destroying the market of 
copyrighted digital entertainment media. 


4.7 A legislative clause that P2P Services are prohibited by law 


Recording companies and the RIAA would have ordered the legislature to 
come out with such a legislation were they to sit on the Bench and judge their 
own cause. But such a decision is not in public interest, considering the man- 
date of copyright laws and the fundamental guarantee of free speech and ex- 
pression. When courts shut down new technologies, the world may literally 
never know what it is missing. (Lemley & Reese, 2004, p. 1389) 

It cannot be out ruled that P2P softwares may be capable of substantial 


153 


non infringing uses if they use filter technologies which separate the copy- 
righted from the non copyrighted works. Kazaa was given this option by the 
Australian Court but it failed to implement it then. In the light of the present 
scenario where copyrighted works particularly works of entertainment have 
assumed a global significance, it is important to chart out a ‘Magna Carta’ to 
prevent illegal digital exploitation of copyrighted works. All the above policy 
solutions and technological alternatives may serve as indices to come out with 
a model draft which requires an implementation on a global scale, otherwise 
the pirate companies shall only ‘space shift’ their technologies to safer havens, 
like Kazaa and Pirate Bay did. 


5. A ray of hope... 


With the growth of internet users, markets are becoming increasingly global 
and we all have to realize that no country benefits from the theft of another’s 
intellectual property. In the world of innovation, even the devil must get his just 
dues. Copyrighted digital data without copy controls on the information su- 
perhighway is a work which for the purposes of copyright is as good as infor- 
mation ‘deemed to be in public domain’ for it then enters the domain of 
‘uncontrolled exchange’. However, keeping in mind, the interests of film, 
music, software industries, weighed against the larger public interest to have 
lawful access to copyrighted works and maintaining the pride of public do- 
main, a blanket ban is not a solution as against technological controls which do 
seem to offer solutions. 

The jurisprudential development of copyright urges one to share but we 
have to learn to ‘share with care’. We have to learn to respect intellectual prop- 
erty even if we believe that we have are remote chance of being caught by the 
law as individual infringers. We should make efforts to curtail our selfish in- 
terests in the larger interests of public good. Such a cyber culture in the after- 
math of digital revolution shall only stifle innovation and promote the evil 
designs of pirates. It is difficult to trade honesty with profitability, but some- 
where somehow a beginning has to be made. 

It has also been suggested that governments should have a positive 
“copyright policy”, the aims of which should be to keep their copyright laws 
continually under review, so as to adapt them quickly to the changing envi- 
ronment and the challenges posed by rapid technological change, and to main- 
tain a balance between the interests of the creators, on the one hand, and those 
of the public, on the other, thus ensuring the protection of both individual and 
collective interests. (Davies, 2002, p. 358) The moot question is not whether 
to act in the in the interests of entertainment industries or against the interests 
of file sharing giants. What is important that policy makers and technocrats of 


154 


the world should jointly and on a regular basis deliberate across the table on a 
global level to devise feasible solutions from an overall perspective. Indeed, 
copyright in the electronic era has become the most endangered specie. We 
need to act fast but with a balanced approach. The authors hope that the above 
posited solutions serve as an outline to start upon. 


Notes 


[1] From Greenspan’s testimony in 1983 on the Home Recording Act. Hearings before 
the Subcommittee on Patents, Copyrights and Trademarks, October 25, 1983. cf. 
Liebowitz, S. (2003). In Gordon, W. J., Watt, R (eds.), The Economics of Copyright: 
Developments in Research and Analysis. UK: Edward Elgar. 

[2] 8 Anne, c. 19 (1710). Statute of Anne, 1710 is the first Copyright legislation (England) 
in the world. 

[3] For instance, it has been alleged that the Congress enacted the Copyright Term Exten- 
sion Act (CTEA) of 1998 which raised the term of copyright protection from the stan- 
dard Berne 50 years p.m.a. to 70 years p.m.a. as result of extensive lobbying efforts 
of Disney whose copyrights in major cartoon characters including “Mickey Mouse” 
were on going to expire. 

[4] 35 U.S.C.A. § 271 (b) 

[5] See M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913, 914 (2005) 

[6] M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913, 929-930 (2005) 

[7] University London Press v. University Tutorial Press (1916) 2 Ch 60 

[8] Religious Tech. Ctr. v. Netcom On-Line Communication Services., Inc., 907 F.Supp. 
1361, 1371 (N.D.Cal.1995) 

[9] The first such case arose in 1908 in Scribner v. Straus, 210 U.S. 352 (1908). 

[10] 443 F.2d 1159, 1162 (CA2 1971) 

[11] See Shapiro, Bernstein & Co. v. H.L. Green Co., 316 F.2d 304, 307 (C.A.2 1963). See 
also Fonovisa, Inc. v. Cherry Auction, Inc. 76 F.3d 259 (1996) 

[12] Sony Corporation of America, et al. v. Universal City Studios, Inc., etc., et al. 464 
U.S. 417 (1984) 

[13] Sony Corporation of America, et al. v. Universal City Studios, Inc., etc., et al. 464 
USS. 417, 442 (1984) 

[14] In re Aimster Copyright Litigation 334 F.3d 643, 647 (2003). The Sony Court placed 
reliance on the staple article of commerce doctrine in 480 F.Supp. at 468 (1979) where 
it was observed that ‘Whatever the future percentage of legal versus illegal home-use 
recording might be, an injunction which seeks to deprive the public of the very tool or 
article of commerce capable of some noninfringing use would be an extremely harsh 
remedy, as well as one unprecedented in copyright law.’ 

[15] 480 F.Supp. 457-458 (1979). 

[16] Sony Corporation of America, et al. v. Universal City Studios, Inc., etc., et al. 464 
USS. 417 (1984) 

[17] See observation of Fine Report at A & M Records, Inc. et al. v. Napster, Inc. 114 
F.Supp.2d 896, 909-910 (2003) 


[18] See defense of Napster at J 10, A & M RECORDS, INC. et al. v. Napster, Inc. 114 


155 


F.Supp.2d 896, 904 (2000). “Space-shifting” refers to the process of converting a CD 
the consumer already owns into MP3 format and using Napster to transfer the music 
to a different computer-from home to office. 


[19] See In re Aimster Copyright Litigation 334 F.3d 643, 653, 654 (2003) 


[20] See observations of the U.S. Supreme Court in Sony Corporation of America, et al. v. 
Universal City Studios, Inc., etc., et al. 464 U.S. 417, 456 (1984) 


[21] UMG Recordings, Inc., v. MP3.com, Inc. 92 F.Supp.2d 349 (2000) 


[22] See Napster defense § 1, A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 
896, 912 (2000) 


[23] The staple article of commerce doctrine stipulates that where technology capable of 
both infringing and ‘substantial noninfringing uses.’, the manufacturer of a staple ar- 
ticle of commerce cannot be held liable for infringement by purchasers of that prod- 
uct. 


[24] See] 1, A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 922 (2000) 


[25] Freedom of speech is granted by the first amendment to the US Constitution. See A 
& M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 922 (2000) and In re Aim- 
ster Copyright Litigation 334 F.3d 643, 656 (2003) 


[26] Napster (A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 913) citing 
Marcus v. Rowley, 695 F.2d 1171, 1176 (1983) 


[27] 1 15, A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 916 (2000); See 
M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913, 922, 947 (2005) 


[28] 90% of the files available for download on the FastTrack system were copyrighted 
works, which was merely 3% greater than Napster’s threshold of copyrighted files 545 
U.S. 913, 922, 923 (2005) 


[29] See M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913 (2005) 

[30] See M-G-M Studios., et al.v. Grokster, Ltd., et al. 545 U.S. 913, 924 (2005) 

[31] See M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913, 926 (2005) 

[32] See 16 A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 917 (2000) ` 
[33] See { 2 A & M Records, Inc. et al. v. Napster, Inc. (2000) 114 F.Supp.2d 896, 918 


[34] Gershwin Publ'g Corp. v. Columbia Artists Management, Inc., 443 F.2d 1159, 1163 (2d 
Cir.1971) 


[35] See 13, A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 918 (2000) 
[36] See supra at Note 34 

[37] See { 3, A & M Records, Inc. et al. v. Napster, Inc. 114 F.Supp.2d 896, 921 (2000) 
[38] Napster is “alive” and operates in Canada 

[39] See United States v. Giovannetti, 919 F.2d 1223, 1228 (1990) 


[40] See United States v. Josefik, 753 F.2d 585, 589 (1985); AMPAT/Midwest, Inc. v. Illi- 
nois Tool Works Inc., 896 F.2d 1035, 1042 (1990) 


[41] 334 F.3d 643, 654 (2003) 
[42] 545 U.S. 913, 937 (2005) 
[43] Universal Music Australia Pty Ltd v Sharman License Holdings Ltd [2005] FCA 1242 


[44] Virgin Records America, Inc. v. Thomas 2007 WL 2899450 (D.Minn.) (Special ver- 
dict form) 


[45] Atlantic v. Howell No. 2007 WL 2409549 (D.Ariz.) August 24, 2007, Order Granting 
Summary Judgment to Plaintiffs. 


156 


[46] Hotaling v. Church of Jesus Christ of Latter-Day Saints 118 F.3d 199, 203 (1997) 

[47] See Atlantic v. Howell 2007 WL 2409549 (D.Ariz.) (District Court decision, State of 
Arizona, United States of America) 

[48] A & M Records v. Napster, Inc. 2000 WL 1009483 (transcript of proceedings). The 
United States Court of Appeals also placed reliance on this observation of the District 
Court in holding the Napster users responsible for copyright infringement. 

[49] See Interscope Records v. Duty 2006 WL 988086, 2 (D.Ariz.) 

[50] Interscope Records v. Duty 2006 WL 988086, 7 (D.Ariz.) 

[51] ibid , 

[52] Ventura County v. Blackburn 362 F.2d 515, 518 

[53] Pye v. Mitchell 574 F.2d 476, 481 

[54] See Oxford v. Moss (1979) 68 Cr. App. Rep. 183., R. v. Stewart, [1988] 1 S.C.R. 963 

[55] See Title 17, U.S. Code, §.1001(3) of Copyright Act (1976) 

[56] RIAA v. Diamond Multimedia 180 F.3d 1072. The Court basing their observation 
upon perusing the statutory language and legislative history concluded that AHRA 
does not apply to a computer hard drive. 

[57] See Campell v. Acuff-Rose Music, Inc., 510 U.S. 569, 576-80 (1994) (stating that the 
defense "permits and requires courts to avoid rigid application of the copyright statute 
when, on occasion, it would stifle the very creativity which that law is designed to fos- 
ter"). 

[58] M-G-M Studios., et al. v. Grokster, Ltd., et al. 545 U.S. 913, 964 (2005) 

[59] See Universal Music Australia Pty Ltd v Sharman License Holdings Ltd [2005] FCA 
1242 

[60] It can be said that Recording Industry Association of America (RIAA) is constantly 
“patrolling” the “digital superhighway” for direct copyright infringers. The RIAA's 
zero-tolerance copyright campaign launched in September 2003, and has launched 
more than 20,000 lawsuits since then. 


References 


1) Davies, G., (2002). Copyright and the Public Interest. London: Sweet & Maxwell 

2) Frost, R., Mending Wall (1914) 

3) Geetesh, A. (2007). File sharing universe: An Analysis of the Issues involved. Re- 
trieved October 12th, 2007, from http://ipr.indlaw.com/display.aspx?2489 

4) Gordon, W. J., Watt, R. (2003). The Economics of Copyright: Developments in Re- 
search and Analysis. UK: Edward Elgar 

5) Griffiths, J. & Suthersanen, U. (eds.) (2005). Copyright and Free Speech: Compa- 
rative and International Analyses. Oxford University Press 

6) Halbert, D. J. (1999). Intellectual Property in the Information Age: The Politics of 
Expanding Ownership Rights. London: Quorum Books. 

7) Hall, T. (2002). Music Recording and the Audio Home Recording Act. Duke L. & 
Tech. Rev. 0023. Retrieved October 12th, 2007 from http://www.law.duke.edu/jour- 
nals/ditr/articles/2002dltr0023.html. The author describes the Big Five major music 
labels which are Bertelsmann’s BMG (BMG Entertainment), Vivendi Universal, 
Sony, EMI Group, and AOL Time Warner. 


157 


8) 
9) 


10) 


11) 
12) 


13) 
14) 


15) 


16) 


King, B., (2002, May. 15). The Day the Napster Died. Wired. Retrieved October 
12th, 2007, from http://www.howstuffworks.com/framed.htm?parent=napster.htm 
&url=http://www.wired.com/news/mp3/0,1285,52540,00.html 


Lemley, M. A., Reese R. A. (2004). Reducing Digital Copyright Infringement wi- 
thout restricting Innovation. Stanford Law Review (56). Retrieved October 12th, 


‘2007, from Westlaw database 


Lin, I. (2004). Innovation in the Networked World. In Barker, C. (ed.), Innovation 
and Imagination at Work. New Delhi: Tata McGraw-Hill Edition. 

See Kawamoto, D. (2005, Sep. 15). Record labels send more letters to P2P servi- 
ces. ZDNet News. Retrieved October 12th, 2007, from http://www.afterdawn.com/ 
news/archive/6829.cfm 

See Mennecke, T. (2006, Aug. 4) LimeWire sued by the RIAA, Slyck New. Re- 
trieved October 12th, 2007, from _ http://www.afterdawn.com/news/archive/ 
7802.cfm 
See Moser, D.J. (2001), Music Copyright for the New Millennium, Thomson Co- 
urse Technology. 
See Woody, T., (2005, February). The Race to Kill Kazaa. Wired 11.02. Retrieved 
October 12th, 2007, from http://www.wired.com/wired/archive/11.02/kazaa.html. 
See Wadhwa, A. (2007). Overcoming the Challenges Posed by Dual-Use Techno- 
logy to Traditional Copyright Law — From Betamax to Grokster and Beyond. Re- 
trieved October 12th, 2007, from http://students.indlaw.com/display.aspx?2495 


Tagore, R., Where The Mind is Without Fear , Geetanjali (1910) 


158 


Harassment through the Digital Medium 
A Cross-Jurisdictional Comparative Analysis on 
the Law on Cyberstalking 


Warren Chik 


Assistant Professor of Law 
Singapore Management University School of Law 
LLB (Hons) NUS, LLM (IBL) University College London, LLM (ICL) Tu- 
lane University 
Advocate & Solicitor (Singapore), Solicitor (England & Wales), Attorney & 
Counsellor at Law (New York) 


Abstract. A recent phenomenon that is steadily becoming a pro- 
blem in every country with a high level of electronic connectivity is the 
act of cyberstalking. This paper analyses and compares the cyberstal- 
king laws of several key jurisdictions to determine the common elements 
and treatment amongst them with a view to the formulation of a propo- 
sed statutory solution that will take into consideration the different rights 
and interests of members of society in the use of digital media for social 
interaction. 


1. Introduction: Issues in Cyberstalking 


The cyber world is an extension of the real world. It is another dimension where 
we can work, study and play. The benefits are tremendous; in particular ad- 
vances in information technology have enabled a whole new medium of elec- 
tronic messaging without the hurdles of cost, time and effort that we face in the 
physical realm. On the Internet, people also tend to lose their inhibitions. They 
create avatars for online gaming and online personas. Sometimes identities are 
revealed, but sometimes anonymity is kept. Particularly in the latter case, it 
emboldens people to act as they may not normally do offline. That is where 
problems emerge in the virtual realm that has real world consequences. 

Why is online stalking more of a problem than offline stalking? Before 
proceeding to consider the issue, it must be emphasized that whether it is per- 
formed online, offline or both, the acts that amount to stalking behaviour are 
the primary concern. However, the medium is also important for its many im- 
plications. First, the ease of use and hence lesser impediments to aggressive be- 
haviour; second, the borderless nature of electronic communications medium 
and concomitant jurisdictional concerns; third, the type of evidence and means 
of its collection; fourth, the lack of educative and deterrent effect of current 
laws; and fifth, the lack of effective laws, or of any law at all, to deal with the 
problem in some countries and in the international fora] ] 


159 


Cyberstalking has become a concern that has translated into law in larger 
jurisdictions with more matured technological infrastructure such as the United 
States, the United Kingdom, Canada, Australia and Japan[2] Even for a coun- 
try which is geographically small, its ‘virtual geography’ is borderless, partic- 
ularly if it has a high density in electronic and telecommunications 
connectivity, sophisticated and technologically savvy users, and low cost sub- 
scription to the Internet, cellular and other static and mobile forms of elec- 
tronic and digital forms and channels of communication. Although this may not 
necessarily translate into a greater number of stalking behaviour within the 
country, and even though there are no official statistics to show that there has 
been such an increase, the fact remains that there is a greater likelihood of, and 
a conducive IT infrastructure and computing environment for, such anti-social 
harassing behaviour to be perpetrated. 

Existing bases of law such as through computer misuse legislation or 
common law such as the tort of harassment only indirectly provide some tem- 
porary solution to the problem. They are neither comprehensive nor definitive 
or unambiguous enough in their application. They are also indirect and the 
criminal punishments or civil redress as the case may be may not be appropri- 
ate. Also, existing laws relating to harassment or intimidation tend to be fact- 
or relationship- specific, and are thus also inadequate to meet the needs of mod- 
ern society. 

In Part 2 of this paper, I will briefly use the current coverage under Sin- 
gapore law to show why and how piecemeal development of law and anti- 
quated harassment legislation are inadequate to meet the needs of every victim 
of stalking, and in particular, cyberstalking. In Part 3, I will make a compara- 
tive analysis of the laws in various jurisdictions to see how other countries 
have dealt with the problem in order to draw lessons from them and also to 
highlight the rights and interests that have to be considered and balanced in 
formulating a legislative provision to deal with it. Suggestions will be made as 
to the appropriate approach in both form and substance to cyberstalking legis- 
lation. In Part 4, I will consider the appropriate measures and punishments or 
redress to deal with stalkers. I will also briefly highlight the issue of prescrip- 
tive, adjudicatory and enforcement jurisdiction and the need for international 
cooperation through the harmonization of laws, in the coordination of proce- 
dural investigative efforts, and in recognition and enforcement laws. 


160 


2. Cyberstalking in Singapore: Emerging Problems in a 
Rapidly Digitised Society, the Search for a Solution and the 
Limitations of Current Laws 


2.1. Lack of Comprehensive Coverage 


Faced with problems of threatening or unwanted electronic communications, 
the question arises as to whether cyberstalking as a phenomenon is adequately 
addressed under the law. Harassment laws to an extent provide for some re- 
course, but it is not sufficient to address the needs of the individual in a digi- 
tal environment, not least because such laws are piecemeal and too specific. 
Current harassment laws can be divided into three categories: Harassment 
and/or intimidation laws, which are often relationship specific or situa- 
tional/contextual and those that are generally applicable. 


2.2. General 


In Singapore, sections 13A and 13B of the Miscellaneous Offences (Public 
Order and Nuisance) Act (Cap. 184) (MOA), make it an offence for a person 
to use “threatening, abusive or insulting” words and behaviour with the intent 
to cause harassment, alarm or distress. However, based on legislative history, 
they appear only to cover inter-praesentes behaviour and not to electronic com- 
munications where the parties are physically removed[3] They also do not 
cover other forms of behaviour which should also constitute harassment and 
which are typical to stalking behaviour such as sending messages or gifts, fol- 
lowing or tailing someone and conducting electronic or physical surveillance 
on someone. Moreover, they do not take into account the fact that even with- 
out bad intentions such conduct can have a negative effect on the victim and 
even on society. There are social concerns relating to the act of stalking, par- 
ticularly in the virtual context, which are not addressed by this legislation, 
which include the infringement of privacy (i.e. the right to be left alone or right 
to solitude) and peace. 

At the turn of the millennium, the case of Malcomson Nicholas Hugh 
Bertram & Anor v. Naresh Kumar Mehta [4]was brought before the Singapore 
High Court. It involved an ex-employee harassing his ex-employer and com- 
pany staff via electronic mail, SMS messages, telephone calls and postal mail. 
It was in this case that the then Judicial Commissioner Lee Seiu Kin first rec- 
ognized the tort of harassment in Singapore by defining it as “a course of con- 
duct by a person, whether by words or action, directly or through third parties, 
sufficiently repetitive in nature as would cause, and which he ought reason- 
ably to know would cause, worry, emotional distress or annoyance to another 


161 





person”. However, he gave the caveat that the definition was not meant to be 
exhaustive but was valid to the extent that it “sufficiently encompasses the 
facts of the present case in order to proceed with a consideration of the law” [5] 
An injunction was given to restrain the ex-employee from continuing his acts 
on the basis of harassment as well as on the basis of trespass and nuisance [6] 

Malcomson v. Mehta itself is inadequate to address stalking cases, in 
particular cyberstalking, for several reasons. First, Lee JC postulates only a 
general rule which is sufficient for the case in question; hence it suffers from 
ambiguity, being the only case so far on the subject. Second, victims take civil 
action only as a last resort because of the time, cost and effort involved in col- 
lecting evidence and mounting such cases. Third, the remedies involved do not 
address the root cause of most cases of stalking and cyberstalking that involves 
people with psychological problems and for whom other measures, such as 
mental assessment, treatment and counseling, may be more appropriate. 

However, it is to be noted that the tort of harassment as enunciated by 
Lee JC is established on the basis of the foreseeability of the effect of acts or 
words on the mental state of the victim, even if it were just an annoyance. This 
will be important later when we look at the legislative approaches in other 
countries and in my recommended definition and scope of the cyberstalking 
law. 

A case which illustrates how a form of stalking is dealt with under an ex- 
isting criminal legislation that may not always be an available recourse, and 
that is not enacted to deal with such problems specifically, is if the acts in ques- 
tion involves the unauthorized use or interception of computer services, or the 
obstruction of the use of a computer, which can constitute an offences under the 
Computer Misuse Act (Cap. 50A) (CMA). In the case of PP v. Lim Siong 
KheeJ7] the stalker and the victim were in a short relationship and had gone 
on a European vacation before the victim called off the relationship. The 
stalker, in a classic case of the vengeful “former intimate” gained access to the 
victim’s e-mail account without her consent to send messages to her friends de- 
tailing their intimate relationship in an attempt to embarrass her. An offence 
was made out under sections 3, 6 and 7 of the CMA. [8] However, these pro- 
visions will not apply in the usual cases of the stalker sending e-mails or other 
forms of electronic messages to the victim directly or to third parties with the 
purpose of affecting the victim through indirect means. Also, again the pun- 
ishment may not adequately address the problem, for example, in the case of 
obsessive and psychologically disturbed stalkers. 


2.3. Relationship-based Action 
The Women’s Charter (Cap. 353) has provisions relating to harassment in the 


162 


context of domestic or relationship-based violence, specifically for the pro- 
tection of persons from family members. Section 64 includes the act of ha- 
rassment with intent to cause or knowing that it is likely to cause “anguish”. 
Sections 65 to 66 then provide for the issuance of protection orders (PO) and 
expedited orders (EO) to restrain a person from inflicting “family violence” 
(the violation of which is a criminal offence). However, these provisions are 
only protective measures available to “family members”. They do not, for ex- 
ample, cater to non-marital or non-family-related relationships. 

Similarly, the Moneylenders Act (Cap. 188) (MA) has specific provi- 
sions dealing with the harassment or intimidation of a debtor by his or her cred- 
itor in the context of a financial loan relationship. Section 33(1) of the Act 
makes it an offence for any creditor to, directly or indirectly, harass or intimi- 
date his debtor and members of the latter’s family or any other person in con- 
nection with the loan. In Chua Keem Long v Public Prosecutor,[9] the then 
Chief Justice Yong Pung How noted that the word “harassment” under the MA 
was undefined and proceeded to look up its definition in a non-legal diction- 
ary. Yong CJ referred to the definition under the New Shorter Oxford diction- 
ary, which defined “harassment” as “[to] trouble by repeated attacks... subject 
to constant molesting or persecution.” Yong CJ was of the view that a series of 
continuous or repetitious conduct is generally required for harassment, which 
can be contrasted to the act of intimidation, which can be a single incident. But 
he then gave the view that a single visit or encounter can still constitute ha- 
rassment if it is so intense as to amount to a persistent attack or persecution.[10] 

These legislative provisions were clearly not intended, and are inade- 
quate, to protect other victims of stalkers and of dealing with perpetrators with 
the profile that we are concerned with. So, for example, cohabitors, ex-partners, 
ex-boyfriends or girlfriends, neighbours, and secret admirers or other strangers 
do not qualify. The behaviour of stalkers can be rational or irrational, they can- 
not be compartmentalized according to relation or context and is irrespective 
of race, language, religion, education, age, gender or sexual orientation.[11] 


2.4. Situational/Context-based Action 


Sections 13A and 13B of the MOA deals with both intentional and non-inten- 
tional words or acts of “harassment, alarm or distress” by a person against an- 
other within physical or geographical proximity of that other person. Section 
13C deals with acts of harassment where violence is likely to result, while sec- 
tion 14A makes it an offence to make harassing calls to emergency numbers 
specifically. 

These provisions are of limited help specifically to stalking cases as they 
are limited in scope. For instance, they require face-to-face communications or 


163 


physical proximity. They also require a heightened level of threat due to the 
physical closeness of the parties. The words or behaviour have to be “threat- 
ening, abusive or insulting” which does not take into account the type of con- 
duct that can be perpetrated in stalking cases, including those that are active 
such as gift giving and electronic communications, or passive acts such as 
physical or electronic surveillance. They also relate to direct rather than indi- 
rect means of harassment. For instance, section 13A requires specific intent 
“to cause harassment, alarm or distress to another person”, which a delusional 
or mentally unstable stalker may not possess. The penalty of a fine of a maxi- 
mum of $5000 is hardly adequate deterrence or punishment to stalkers, most 
of whom are motivated by other than pecuniary goals or act out of emotional 
wants rather than for rational reasons or by logic. 

Finally, other offences relating to the effects of stalking are also gener- 
ally non-preventative and inadequate [1 2] except perhaps to some extent for the 
offences, if proven, of “attempt” and “conspiracy”. Hence, there is a need to 
create new provisions under existing criminal legislation or to enact new leg- 
islation to deal with the exceptional problems posed by stalking through the use 
of modern technology. 


3. Comparative Analysis of the Laws in Other Jurisdictions: 
Lessons for a Comprehensive and Effective Solution to 
Cyberstalking 


3.1. Definition and Scope 


Cyberstalking can loosely be defined as threatening behavior or unwanted ad- 
vances directed at another using the Internet and other forms of modern online 
electronic communications technology. [13] It is a new method of stalking 
which in turn is a form of harassment. Cyberstalkers use computers, cell 
phones, fax machines and other electronic or digital devices to track and pur- 
sue their victims.[14] Cyberstalkers are also increasingly sophisticated and can 
use such diverse technology as global positioning systems (GPS), hidden ca- 
meras and malware or spyware. Their motives are just as diverse.[15] 

Under the American Heritage dictionary, to “stalk” means “[t]o pursue 
by tracking stealthily” or “[t]o follow or observe (a person) persistently, espe- 
cially out of obsession or derangement”; and to “harass” means “[t]o irritate or 
torment persistently” or “[t]o wear out, exhaust”.[16] Whatever the factual de- 
finition of the words, the legal definition is what counts if recourse to legally 
enforceable civil and criminal recourse and protective measures are to be ava- 
ilable to victims. 

To come up with the definition, and hence the scope of legally actiona- 
ble stalking (incorporating elements of cyberstalking), we first have to identify 


164 


the modus operandi and decipher the profile of stalkers, paying particular at- 
tention to the digital context. Then we have to decide what balance should be 
achieved between right to privacy and personal space on the one hand and the 
benefits of social interaction, information flow and freedom of expression and 
physical movement on the other. Following from that, we have to consider 
what legislative approach to adopt - a list or general prohibition model. Finally, 
we have to come up with the most effective solutions to every aspect of the pro- 
blem. 


3.2. Policy Considerations Affecting Scope of Cyberstalking 


To adequately address the specific problems relating to cyberstalking, the fol- 
lowing points must be taken into consideration when tailoring a policy response 
in law: 

e “Stalking” should address the virtual medium. There is a need to 
broaden the definition of “stalking” to include electronic communica- 
tions (overt stalking) and surveillance, monitoring and tracking (covert 
stalking). The best way to do this is possibly not to even address any 
one medium, method or form; or to do it illustratively and on a non-ex- 
haustive manner. 

e Motive should be irrelevant. The offensiveness of stalking is unique in 
that it is the course of action and how it may affect another, rather than 
the aim, goal or motive that is the problem. Hence, intention should be 
in relation to the acts that contribute to what is, or is reasonably or likely 
to affect the victim. The stalker can act based on such diverse motives 
as love (“borderline / delusional erotomania”), sex (“sex addicts” / “se- 
rial rapists”), fame (“celebrity stalker” / “paparazzi’”), vengeance (“for- 
mer intimate” / “enemy”), control (“ego/power tripper”), or other 
deviance (“‘sociopaths” / “serial killers”).[17] 

e Victim should be identifiable. The threats or attentions must be proven 
to be directed at the victim as an identifiable individual or individuals 
rather than in a non-personal manner such as an indistinguishable mem- 
ber of a group, company or organization. The individual need not be the 
one that is the direct focus of an act of harassment or stalking as long 
as it is evidentially clear that the act was intended to have an effect on 
him or her. Hence stalking can be direct or indirect, although the latter 
behaviour will be more difficult to prove. 

e Behaviour should be unreasonable. The reasonableness or otherwise of 
the perpetrator’s act in relation to its potential effect on the victim 
should be a key element of the offence or tort. Hence, it should cover 
violent behaviour and the actual infliction of harm or threat of harm, 


165 


whether to the person or property or family, friends or loved ones. 
Whether it could extend to more ‘neutral acts’ is less clear and will 
have to depend on the foreseeable effects on the recipient to be objec- 
tively determine. What is reasonable can be measured by a combination 
of factors including cumulative course of conduct and the perpetrator’s 
reaction to the victim’s response, which must be applied to the facts 
and circumstances of each case. 

e Foreseeable effect should be weighted. As mentioned, to establish a fair 
balance of interests, a “reasonable man test” with an objective analysis 
should be applied. Such a test will also balance the want of certainty 
against the need for flexibility. Such a balance is measured by what are 
the reasonable and foreseeable effects in relation to the reasonable vic- 
tim. 

Series of Action should be the norm. There is a need for repetitive- 
ness or persistency of conduct. Repetition is a key feature of online stalking. 
A one-off attack online, while it may cause the recipient distress, cannot be de- 
scribed as cyberstalking. Cyberstalking is a course of conduct that takes place 
over a period of time and involves repeated attempts to cause a person distress. 
Some laws define it as involving two or more incidents following a repetitive 
pattern. Even if the one and only threat is the intended execution of an act of 
violence, it should not constitute stalking although it can constitute some other 
tort or offence under civil or criminal law respectively. However, a case can be 
made for access to preventative measures even without resort to a trial if there 
is strong evidence that an act will be repeated or followed-up or that there will 
be an escalation of a threat. Because it is the course of behaviour that we want 
to prevent and offer protection from, both the threat and actual institution of the 
ends sought to be attained could constitute the offence. 

Public policy defences should be included in criminal stalking provi- 
sions. Countries with more advanced laws in this area have established de- 
fences to acts that come within the legal definition of stalking (e.g. U.K. and 
Australian legislation) or exceptions for legitimate purposes for sound policy 
reasons. This is to ensure that actions that should not constitute an offence will 
not fall under it. 


3.3. Comparing Jurisdictional Legislative Initiatives 


Stalking law is more complicated than general harassment law. [18] It involves 
more subtleties because the victim’s perspective as well as the stalker’s has to be 
considered. Moreover, the profile of the stalker is more peculiar and may not be 
susceptible to normal treatment. For example, acts that may not constitute ha- 
rassment such as surveillance and even gift-giving and other non-threatening but 


166 


unwanted attention such as constant calls, e-mails and SMS or IM messaging can 
cross the threshold of what is considered socially normal or even tolerable inter- 
action to constitute stalking. Actions that may be acceptable or even encouraged 
in the context of a mutual loving relationship becomes sinister stalking behaviour 
in another context when there is no reciprocity of interest. 

Stalking legislation varies in scope across jurisdictions. [19] For example, 
it tends to be more expansive in some States in the United States and the United 
Kingdom, but is given narrower treatment in other States in the U.S., Canada, 
Australia and Japan. 


3.3.1. United States 


All the individual States in the United States, has enacted some form of stal- 
king legislation, and most have or are in the course of addressing cyberstalking 
in these provisions or separate legislation. [20]The types of stalking legisla- 
tion fall generally into, and in between, two categories according to the ele- 
ments constituting the offence: [21 ] 


The Higher Threshold category that generally consists of (a) a credible 
threat, and (b) the intent and (apparent) ability (to carry it out), which (c) cau- 
ses fear (to the victim for his or her own safety or that of his or her immediate 
family). 

The Lower Threshold category which largely consists of (a) behaviour 
directed at a victim that is performed by stalker, that is (b) knowingly, purpo- 
sefully and repeatedly carried out, which (c) causes alarm, annoyance, (etc.) 
and/or will cause a reasonable person to suffer fear and emotional distress 
(etc.). 

The 1993 Model Anti-Stalking Code for States (Model Code)[ 22] requ- 
ires both actus reus and mens rea, which is the norm for criminal offences. 
Most States require the following three elements to be satisfied: A threshold of 
threatening behavior such as a series or course of conduct; the intention to per- 
form those acts in relation to another; and the knowledge that it will cause a re- 
asonable person to fear harm or suffer emotional distress (although that may not 
be the motive). 


The hodgepodge of State laws and the piecemeal way in which they are 
‘updated’ in varying degrees and at different rates to specifically address pro- 
blems peculiar to cyberstalking, where existing legislation are found lacking, 
is unsatisfactory. [23] There is no comprehensive federal statute on cyberstal- 
king, although serious study has gone into it by the government. [24]The exi- 
sting federal laws that can partially cover cyberstalking still falls short of 
addressing all of its problems because they either still require a high threshold 


167 


“credible threat” requirement 25] have other requirements that are a throwback 
to the original purpose of the legislation, [26] or do not address problems spe- 
cific to the use of electronic communications. [27] 


3.3.2. United Kingdom 


In England and Wales, the emphasis is on protection and prevention of ha- 
rassment in general. [28] Hence section 1(1) of the Protection from Harass- 
ment Act of 1997 (Cap. 40) (PHA) provides for the prohibition of harassment, 
which includes alarming or causing distress, in that “[a] person must not pur- 
sue a course of conduct which amounts to harassment of another, and which he 
knows or ought to know amounts to harassment of the other; or “[a] person 
must not pursue a course of conduct which involves harassment of two or more 
persons, and which he knows or ought to know involves harassment of those 
persons, and by which he intends to persuade any person...not to do some- 
thing that he is entitled or required to do, or to do something that he is not 
under any obligation to do.” What he “ought to know” is determined using the 
“reasonable man test” in context, that is, “a reasonable person in possession of 
the same information” (section 1(2)). Exceptions are made to the rule. The 
powers of the court to punish and prevent are at sections 2-5 and range from 
criminal to civil powers (including monetary damages, injunctions and re- 
straining orders). [29] There is no specific reference to the use of new tech- 
nologies although the Malicious Communications Act of 1998 (MCA) does 
refer to electronic communications. 

Prior to the Act, [30] the tort of nuisance,[31 ] and the tort of public nui- 
sance, were used to deal with a case of stalking despite the uneasy relation- 
ship between these torts and the subject matter of harassment. [32] The tort of 
harassment has also been invoked, albeit on a limited basis. [33] 

Sections 8 to 11 of the PHA make corresponding provisions for Scotland. 
[34] The Protection from Harassment (Northern Ireland) Order 1997 in North- 
ern Ireland is substantially the same as the PHA except for a difference in num- 
bering. Similar replicas of the PHA have also been passed in the Isle of Man 
and the States of Guernsey in 2000 and 2005 respectively. 


3.3.3. Canada 


Canada deals with stalking under section 264 of Canada’s Criminal Code on 
criminal harassment. [35] Section 264(1) states that: “No person shall, without 
lawful authority and knowing that another person is harassed or recklessly as 
to whether the other person is harassed, engage in [prohibited] conduct. ..that 
causes that other person reasonably, in all the circumstances, to fear for their 


168 


safety or the safety of anyone known to them.” [36] The list of “prohibited 
conduct” is found at section 264(2). The maximum punishment for stalking is 
imprisonment (section 264(3)). 


3.3.4. Australia[37] 


Like in the U.S., Australian stalking laws are state-centric,[38] and there is no 
consistent nationwide law against stalking. Some of its laws have been upda- 
ted in response to the digital age. For example, under section 359B of the Qu- 
eensland Criminal Code (Stalking) Amendment Act of 1999, “unlawful 
stalking” (i.e. actionable stalking) is defined as conduct intentionally directed 
at a person and engaged in on any one occasion if the conduct is protracted or 
on more than one occasion and that consisting of one or more acts of a type that 
are listed,[39] that would cause the stalked person apprehension or fear, re- 
asonably arising in all the circumstances, of violence to, or against property of, 
the stalked person or another person; or causes detriment, reasonably arising 
in all the circumstances, to the stalked person or another person.” [40] It is no- 
teworthy that section 359C renders irrelevant the personal awareness or mi- 
staken identification of the stalked person, the use of a third party, similarity 
in action, intention to cause apprehension or fear or that it is actually caused, 
or motive. Finally, section 359D lists exceptions to section 359B and sections 
359E-F provides for the powers of the court to punish or prevent stalking be- 
haviour.[41] 

In Victoria under the Crimes Act of 1958, stalking is defined as “enga- 
ging in a course of conduct with the intention to cause physical or mental harm, 
apprehension or fear.” That conduct includes some of the usual physical acts 
similar to the Queensland Act including keeping the victim under surveillance 
and engaging other parties to do any of the acts. The offender’s action must 
achieve the result (e.g. apprehension or fear) intended by the offender. The pe- 
nalty is imprisonment. The legislation was updated by the Crimes (Stalking) 
Act 2003, which extended the definition of stalking to include acts performed 
through the use of the electronic medium. 


3.3.5. Japan 


In Japan, “stalking” is defined as “repeated acts of harassment of a specific 
person, motivated by an emotional attachment or a grudge borne because of 
unrequited love”.[42] This is quite limited in scope and confines the offence to 
the motive of the perpetrator, and only one motive at that. A person who en- 
gages in any of the eight listed activities relating to the abovementioned acts 
can be charged with stalking.[43] The penalty for anyone found guilty of vio- 
lating the law is imprisonment or fine. 


169 


3.3.6. Inchoate Developments in Other Countries 


Many other countries all over the world have either enacted specific anti-stalk- 
ing legislation or provisions, or are studying the feasibility of doing so and the 
models to be considered for adoption. For example, the Law Reform Com- 
mission of Hong Kong issued a Report on Stalking Law,[ 44] which identified 
the concept of “harassment” in such a situation as descriptive of both “the ac- 
tivities engaged in by stalkers” and “the impact which such behaviour would 
have on victims of stalking”. Thus it acknowledges both perspectives in rela- 
tion to the problem. The rising problem of cyberstalking has been raised in the 
Singapore Parliament, \[45] the Singapore Law Reform Committee has pro- 
duced a report on the feasibility of anti-stalking legislation in 2005, but it has 
also yet to be translated or materialise into law. 


3.4. Recommendations for Cyberstalking Legislation 


From the above evaluation of the unique problems relating to cyberstalking 
and assessment of the changes and shortcomings of existing cyberstalking laws, 
we have identified some of the needs that have to be addressed in order for 
legal protection against cyberstalking (in addition to existing harassment and 
‘offline’ stalking laws) to be effective. In short, any enactment or amendment 
of such laws must address the social and policy angle (and the balance of in- 
terests), and the unique issues to cyberstalker based on their profile and the 
problems peculiar to electronic stalking (perpetuated by the increasingly novel 
ways of stalking offered by the benefits of technology), taking into account 
existing related legislation. It must be mentioned that, the investigation and 
enforcement arms of the law must also be rendered effective to meet the spe- 
cial demands and challenges of cyberstalking. 


3.4.1. Substance 


The recourse should be a criminal action with the public resources and tools 
that it offers, such as police investigation and protection as well as various 
forms of criminal sanctions. Some civil redress should also be available to the 
courts, particularly to take anticipatory actions to prevent initial or continuing 
anti-social stalking behaviour, such as through the proactive use of restraining 
orders and the like. 


Taking into account the policy considerations and legislative prototypes 
that have been canvassed, I come to the following conclusions. For an anti-cy- 
berstalking law to be effective, it should: 

Constitute a criminal offence but the courts should be given the power 
to use or impose both criminal and civil measures as appropriate. As a specie 


170 


of stalking and sub-specie of harassment, anti-cyberstalking should be part of 
an updated stalking or harassment legislation, albeit an integral part; and the 
new challenges offered by cyberstalking must be addressed. 


Address both actual behaviour and the threat thereof in whatever form, 
including through electronic and other information and communication devi- 
ces. Hence, there should be online and offline consistency of treatment,[46] 
and the provision should be technologically neutral. Any physical proximity or 
a credible threat requirement will not be practical and can be ineffective in pro- 
secuting certain cyberstalkers depending on the modus operandi. 


The method of directing acts at the victim and at persons close to the 
victim which are meant to have an effect on the victim, must take into account 
and include new and innovative methods of stalking in cyberspace such as the 
use of automatic non-human agents or third party action through the use of 
computer software, impersonation and instigation of third parties. 


Require a sufficiently anti-social behaviour directed at the victim by the 
perpetrator. The motive or ability to carry out a threat or follow up on behaviour 
directed at the victim are not prerequisites as we are dealing with the effects on, 
and seeking to protect, the reasonable victim’s state of mind based on a factual 
determination of what is socially acceptable behaviour directed at him. 


Put into the legal equation the actual and potential effects on the victim 
by requiring the actual or constructive knowledge of the alleged stalker (i.e. 
“knows or should reasonably know’) that his or her words or actions will cause 
serious annoyance, alarm, fear or mental distress (based on an objective as- 
sessment), 


Require that the acts either did cause the victim harm, injury or death; 
or will cause a reasonable person serious annoyance, alarm, fear or mental di- 
stress (based on the same objective test) under the facts and circumstances of 
the case (which is the subjective context). This is an objective test based on and 
applied to the subjective facts and circumstances of each case, which will have 
to be sensitively applied in order to adequately balance the needs of the indi- 
vidual to freedom of speech, expression and movement on the one hand, and 
the right of the individual to privacy, safety and security on the other. 

To further establish a fair balance of rights, a gradation model for re- 
medies and punishment should also be adopted. Also, public policy exceptions 
can be made for legitimate functions such as police investigations and money 
collection not amounting to harassment or intimidation. 


Hence, the elements of an offence of stalking that has to be satisfied be- 
fore sanction can be imposed should be as follows: 


171 


3.4.1.1. Identifying the Main Elements of a “Stalking” Offence 


As with most crimes, stalking has both mens rea and actus reus requirements. 
Stalking as an offence should consist of: A course of conduct caused by a per- 
son (the stalker) that is directed at or towards another person (the victim) that 
the stalker knows or should reasonably know will cause serious annoyance, 
alarm, fear or mental distress to the victim. 


3.4.1.2. Defining “Course of Conduct” and Illustrating the Type of 
Conduct 


“Course of conduct” can be defined as the repeated or persistent surveillance of 
a person and the repeated or persistent making of communications to a person or 
a combination of both whether directly or indirectly by whatever means. “Con- 
duct” includes physical and electronic acts or words. It can include instigation of 
an outcome and it can also be vicarious in nature. Thus, pursuing a “course of 
conduct” can be direct or indirect, active or passive, or any combination. An illu- 
strative list should include references to both surveillance and communications as 
well as to traditional and technological methods. Type of effect on the victim can 
also be included but is not necessary (e.g. the behaviour can affect a reasonable 
person’s freedom of movement). 


The actual course of conduct need not be performed by the same person or 
instrument.[47] As noted before, acts also include words, and they can constitute 
other forms in the digital context that were not as common or that were even unk- 
nown in the physical realm, such as impersonation of the victim to elicit or invite 
reaction from third parties or the use of third parties to harass the victim. The co- 
urse of conduct need not be perpetrated directly by the stalker or by just one per- 
son. It can be the cumulative effect of the words or actions of several persons or 
even non-human agents, such as the automatic and repeat sending of messages by 
software programming. Persistency, especially in the face of rejection, distingu- 
ishes a genuine stalker from, for instance, a one-off incident such as the actions 
of an over-eager suitor. 


It should be made clear that the list is not exhaustive and is meant only as 
a guidance of the type of behaviour that amounts to a course of conduct. It sho- 
uld primarily address the words or actions rather than the means (i.e. medium and 
technology neutral) although the possible mediums used, that is, physical or elec- 
tronic, can be highlighted as illustrative of the trend. The words or actions need 
not be the same in order for them to have the cumulative effect of a course of con- 
duct. 


172 


3.4.1.3. “Directed at or Towards” Another can be Direct or Indirect 


Stalking as an offence is of a personal nature. This relates to the identifiability 
of the victim and of the targeted nature of the act. It must be made clear that 
the acts relate to the causing of negative mental and emotional effects on the 
victim and they can include indirect acts such as acts directed towards the vic- 
tim’s family, friends or loved ones. 


3.4.1.4. Determining the Mental Element and its Relation to the Ef- 
fect on the Victim 


Cyberstalking and offline stalking should share the same mens rea require- 
ment. To be effective, cyberstalking statutes should criminalise conduct that 
either causes a real effect or that a reasonable person will know will cause ano- 
ther one or more of the effects listed. What is reasonable, whether relating to 
the perpetrator or the victim, is to be objectively determined. 

First, there must be an intentional mens rea requirement to engage in 
the abovementioned “course of conduct”. Generally, a stalker must willfully or 
intentionally engage in repetitive conduct of a nature that relates to the next 
mental element, which is the mental state requirement tied to the effects on the 
victim. Hence, just like an ‘offline stalker’, a cyberstalker should have inten- 
tionally engaged in conduct that causes his target or a reasonable person to fear 
for her safety. 

Second, there is another mens rea requirement that relates to the effects 
on the victim. Laws that focus solely on the perpetrator’s conduct fall short in 
combating cyberstalking. On the other hand, laws with a “reasonable person” 
standard can better address cyberstalking because they accurately focus on the 
standards expected of the perpetrator in society as well as on the effect of the 
perpetrator’s conduct on the victim.[48] 

It is the unique nature of stalking and the profile of the stalker that expla- 
ins the requirement for a series of conduct and why the mental element is based 
on basic/general intent, that is, the judgment of a reasonable person (unlike 
most criminal offences which require specific intention). Countries that requ- 
ire constructive or actual knowledge include some States in the U.S. and Au- 
stralia, the U.K., Canada, Ireland and New Zealand. Countries or States that 
require specific intent (usually to cause some form of injury) are confining it 
too narrowly and would not have taken into account the unique and diverse 
scenarios of cyberstalking. 

To be fair, both the perpetrator and the victim are to be held up to the ob- 
jective standards of the reasonable person. Hence, to “reasonably know” actu- 
ally reflects both the test in relation to the perpetrator (the objective assessment) 


173 





in the context of each case (the subjective context). The perspective of the ‘re- 
asonable victim’ in the element of the offence and in the analysis of the men- 
tal state of the perpetrator should be a unique feature of this offence. 


3.4.1.5. The Appropriate Degree of Effect or Level of ‘Harm’ 
Threshold 


Arguably, the greatest challenge lies in determining the appropriate threshold 
for the degree of effect or the level of ‘harm’ that will provide the basis for 
legal action. The challenge is in establishing a balance between what is ‘social’ 
and what is ‘anti-social’ behaviour in the ever-changing social context. There 
is a fine line between the two as we have seen due to the demands of society 
and close living, the requirement for compromise and in balancing personal 
peace with fruitful social activities. 

Criminal statutes that are most useful and successful in prosecuting cy- 
berstalkers and protecting victims are those which shift the focus from the per- 
petrator’s behavior to the effect on the victim. The victim’s state if mind is 
appropriate due to the highly contextual nature of the stalking acts and a con- 
sideration of the objective effects on the victim. That is, evaluating the facts and 
circumstances and what the reasonable victim will experience under them, but 
excluding from the analysis personal sensitivities and foibles. After all, one 
must remain mindful that criminal law deals mainly with societal and public 
issues rather than inter-personal problems. 

Behaviour that “threatens”, “harasses”, “intimidates”, “terrorizes” or 
“torments” are words that are commonly used in some legislation, but they 
may not be sufficient. A case can be made for sanctioned behaviour, in the di- 
gital age, to extend to conduct that alarms and even seriously annoys another 
although care must be taken in ensuring that there is a reasonable threshold 
that will not include negligible or ‘minor’ negative effects that is the cost of li- 
ving in an urban society and inter-connected world. 


3.4.2. Form 


The main format issue which has to be considered is whether to have a provi- 
sion that generally prohibits the offence (i.e. a General Prohibition Model) such 
that those used in the U.K. and the U.S. Federal Statute and selected States; or 
one that more specifically states the acts constituting an offence (i.e. a List 
Model) such as those in Canada, Australia, Japan and other State in the 
U.S.;[49] or a combination of both, and if so, what type of combination it sho- 
uld take. 

It is proposed that a combination model is the best approach to take. I re- 


174 


commend a general prohibition provision with a non-exhaustive illustrative list 
of common stalking and cyberstalking acts. 

A general prohibition will clearly and concisely inform as to the offence 
of stalking while a non-exhaustive list will give support and additional gu- 
idance to the courts (serving as both evidence of “course of conduct” and as il- 
lustrative guidance on other similar activities). This approach provides 
flexibility without the expense of incurring more uncertainty. The courts can 
then be trusted to apply the provision with purposeful objective and wisdom. 

While a simple and succinct general prohibition approach has the bene- 
fit of certainty, the usefulness of open-ended (i.e. non-exhaustive) illustrations 
is that it will guide the courts to confine actionable stalking to the types of be- 
haviour that the legislation is meant to cover, while being sensitive to techno- 
logical and social change, and leaving other types disputes such as nuisance and 
neighbour disputes (very common in urban areas) to the more appropriate law, 
such as the tort of harassment and nuisance. 


4. Civil and Criminal Legal Recourse and Redress 


Cyberstalking is a social problem that requires a unique set of legal ‘remedies’ 
in order for the law to be effective in preventing and removing it. The most 
important reason for criminalising stalking is that it can provide appropriate 
sanctions and powers to deal with perpetrators, which are not available if we 
merely rely on civil action such as the tort of harassment or existing piecemeal 
and outdated statutory provisions. 


4.1. Recommendations for Types of Recourse and Redress 


Both civil and criminal recourse and redress should be available to alleged vic- 
tims.[50] 

Punishment under criminal law serves several purposes. The main ob- 
jectives are to deter and prevent offences generally, to incapacitate the offen- 
der from committing further offences, to rehabilitate the offender where 
appropriate, and to mete out retributive or restorative justice. These are all fac- 
tors that should be taken into consideration in the development of the options 
recommended to be made available to the courts. 

Upon criminal conviction, the courts should also be given additional po- 
wers to order medical treatment or supervision such as psychiatric evaluation, 
whether while the offender is in incarceration or otherwise. If it is determined 
that the perpetrator is so mentally unsound that the mens rea is not made out 
or he cannot even make his defence, the courts or the authorities should also 
have the power to remand him for treatment in a mental facility or take any 


175 


other action that will rehabilitate him and to prevent continued threat of stal- 
king. The stage of recourse, whether by request of the victim or by the court’s 
initiative, to order a mental evaluation, should be legislatively addressed. 

Furthermore, the power to make other orders such as to disallow access 
to, or use of, instruments to perpetrate the offence should also be considered 
and legislated. For example, prohibiting electronic access such as prohibiting 
the use of the Internet for a period of time or regulated/limited usage. This will 
have an incapacitating effect. 

The approach to punishment in general should be one that is graduated 
and preventative, and with an early interventionist objective taking into acco- 
unt implications on civil liberties. Because stalking is also capable of early de- 
tection as it constitutes a cumulation of acts, its further development can be 
arrested and its continuation prevented through preemptive protection. In this 
case, civil remedies are also an important addendum to criminal sanctions, 
which generally come in ‘after the fact’ (i.e. after the acts have been commit- 
ted, or at the very least attempted). 

Civil remedies may serve to warn stalkers to stop, for example, by in- 
junctions or protection orders, and to provide monetary remedies for victims 
if acts have led to damages such as for medical treatment or pain and suffering. 
For those stalkers that are less likely to respond merely to warnings and to be 
deterred by the threat of pecuniary damages, other forms of deterrence or me- 


asures of prevention such as mandatory medical treatment or supervision, in- 


capacitating measures and even incarceration, which are criminal sanctions, 
may be more appropriate. 


4.2. Recommendation for a Sliding Scale of Recourse and Redress 


There should be a gradation or scale of remedies or punishment for offenders 
in a civil and criminal action respectively. The remedies may include warning, 
restraining or protection orders with consequences for violation, fine, impri- 
sonment, caning, and mental assessment and/or treatment, with probation or 
confinement. This is to ensure that the most appropriate and effective remedy 
is given for the relevant offender. l 

So that sentencing is rational and is based on the level of the offender’s 
culpability, the severity of the remedy or punishment can be statutorily provi- 
ded for. For instance, recurrent offences (i.e. recalcitrant offenders) and ag- 
gravated offences (e.g. flagrant disregard for protective orders, possession and 
use of weapons, causing actual harm, escalation of behaviour) should carry he- 
avier penalties. 

In the meantime, as noted earlier, the courts should also be given po- 
wers to grant interim relief, such as an interim injunction to restrain the beha- 


176 





viour complained of or the alleged stalker from approaching or contacting the 
complainant, pending the outcome of the case. 

Some other solutions can include Offender Registration, which is use- 
ful for profiling, forewarning and police investigations; and the use of Anti-So- 
cial Behaviour Orders (ASBO) that serve as community warning or 
notification. Electronic monitoring devices may also be considered in order to 
be able to monitor the movement of certain offenders and their proximity vis- 
a-vis the target. 

Finally, it is envisioned that there will not be a problem with frivolous 
complaints or litigation. An alleged stalker can always reject a police stern war- 
ning or go to trial. Lack of evidence or merit can also prompt the public pro- 
secutor not exercise prosecutorial discretion not to proceed with a case. As for 
private prosecutions and civil trials, they involve cost and effort on the part of 
the alleged victim. Moreover false or frivolous complaints can come with legal 
consequences as well. 


5. Conclusion 


One must remember the social and policy reasons behind combating cyber- 
stalking, which is the need to reign in the anti-social effects and inconvenien- 
ces of negative types of electronic communications and to protect people from 
mental harm, not just to protect people from the potential manifestation of phy- 
sical harm. In the same way that spam is a problem that requires a distinct tre- 
atment from junk mail, so too cyberstalking requires additional attention from 
harassment and stalking. The uniqueness of stalking is that motive is irrele- 
vant and the effect of a series of acts on the reasonable victim is key. More 
specifically, in the case of cyberstalking, increasing recognition must be given 
to the effects of non-physical, non-proximate and other methods of stalking 
that were not known or common in the past when stalking was largely linked 
to the physical form. 

Anti-stalking legislation around the world generally follow two basic 
models: The “list model”, which can consist of a ‘closed’ list of acts (e.g. some 
States in the U.S., Canada, Australia and Japan) which provides certainty. The 
other model is the “general prohibition model” (e.g. the U.K. and other U.S. 
States). The preference and the recommendation here is to adopt the latter 
model with an ‘open’ ‘illustrative list’ of examples, which can be updated, and 
that can serve as guidance to the courts. This will provide certainty while re- 
maining flexible and responsive to change. 

Substantively, criminal stalking can be defined as a course of conduct or 
behaviour (i.e. more than a single incident) that is perpetrated by one person 
upon another (i.e. individual-to-individual), and either the alleged stalker in 


177 


fact knows that the conduct will cause serious annoyance, alarm, fear or men- 
tal distress to the victim; or a reasonable person (objectively tested) will con- 
sider that the behaviour will cause serious annoyance, alarm, fear or mental 
distress to the victim (objectively tested) under the circumstances and in the 
context of the case (subjective context). 

In the electronic frontier, the perpetrator requires no passport and do not 
pass through any checkpoints while navigating cyberspace and committing his 
acts. The problem of extra-territorial jurisdiction and enforcement extends to 
the problem of cross-jurisdictional stalking. The enforcement of national laws 
and procedures on a global scale is a challenge unless there is consistency of 
legal treatment worldwide and cooperative procedural arrangements. Like other 
types of cybercrime, a concerted effort is required to create an international 
regime for mutual co-operation and enforcement and to tailor a consistent legal 
and regulatory approach to cyberstalking behaviour worldwide. Dealing with 
it in an international forum and through the use of a harmonizing instrument 
such as the Cybercrime Convention will go some way in tackling the global 
problem.[51] 


Notes 


[1] See Kimberly Wingteung Seto, How Should Legislation Deal With Children as the Vic- 
tims and Perpetrators of Cyberstalking?, 9 Cardozo Women’s L.J. 67, 73-74 (2002), on 
the specific problems relate to identifying the stalker, effective deterrence, novel ways of 
stalking online and collection of evidence. 

[2] For the rising statistics of stalking in the United States and in Japan, see Diana Lamplugh 
& Paul Infield, Harmonising Anti-Stalking Laws, 34 Geo. Wash. Int’l L. Rev. 853, 853- 
858 (US), 466-467 (Japan) (2003). On the effects of stalking on victims, see Nga B. Tran, 
A Comparative Look at Anti-Stalking Legislation in the United States and Japan, 26 Ha- 
stings Int'l & Comp. L. Rev. 445, 448-9 (2003). 

[3] See Malcomson v. Mehta, [2001] 4 SLR 454; [2001] SGHC 308 (High Court) at para. 
54. See also, Chee Siok Chin and Others v. Minister for Home Affairs and Another [2006] 
1 SLR 582; [2005] SGHC 216 (High Court) at paras. 76 and 124. 

[4] See Malcomson y. Mehta, ibid. 

[5] Ibid. at para. 31. 

[6] Trespass requires the threat or use of force or physical contact. Private nuisance requ- 
ires an interference with the use or enjoyment of land rather than anything to do with the 
person. 

[7][2001] SGDC 32 (District Court) [2001] 2 SLR 342; [2001] SGHC 69 (High Court). 
[8] Section 3 makes it an offence to obtain unauthorised access to computer material, sec- 
tion 6 makes the unauthorised use or interception of computer services an offence, and 
under section 7, the unauthorised obstruction of the use of a computer is also an offence. 
Punishments are in the form of a fine, imprisonment or both. 

[9][1996] 1 SLR 510; [1996] SGHC 30. 

[10] See also, Kan Chee Seng v. PP MA 117/98/01; PP v. Tee Choon Lian MA 338/95/01; 


178 


Chan Kuan Swee v. PP MA 219/95/01; Ng Kum Kong v. PP MA 132/2001/01; and Lau 
Tian Heng v. PP MA 229/2001/01. 


[11] See Evonne von Heussen, The Law and ‘Social Problems’: The Case of Britain's Pro- 
tection from Harassment Act 1997, 1 Web JCLI (2000), available at: 
http://webjcli.ncl.ac.uk/2000/issue1/vonheussen1 html. See also, B. Stanko, Men Who Beat 
the Men Who Love Them - Battered Gay Men and Domestic Violence, 33 British Journal 
of Criminology (1993). 

[12] Other forms of legal recourse in Singapore law include the use of a private summons 
or the application of the Criminal Procedure Code (Cap. 68), which addresses threats such 
as harm and trespass. Also, Penal Code offences that may be applicable depending on the 
circumstances includes criminal behaviour that can sometimes be displayed during a stal- 
king such as assault (section 351), outrage of modesty (section 354), house trespass (sec- 
tion 442), defamation (section 499), criminal intimidation (section 504), and criminal 
intimidation by anonymous electronic mail (section 506). 


[13] For our purposes “acts” can include “words”. For another attempt at a definition, see 
the U.S. Department of Justice (DOJ), Report on Cyberstalking: A New Challenge for Law 
Enforcement and Industry (1999), available at: http://www.usdoj.gov/criminal/cyber- 
crime/cybertstalking.htm. 


[14] See e.g., Jennifer Starr, E-Mail Harassment - Available Remedies and Proposed So- 
lution, 39 Brandeis L.J. 317 (2001). 


[15] There are many different ways of compartmentalising stalkers, which goes to show 
how diverse the profiles can be and how varied the motives are. See further, Cyber911 
Emergency: Cyberstalker Profile at: http://www.wiredsafety.org/cyberstalking_haras- 
sment/stalker.html, which categorizes stalkers into three basic types: Obsessional, Delu- 
sional and Vengeful. 


[16] The American Heritage Dictionary of the English Language (4th ed., Houghton Mif- 
flin Company, 2000). 

[17] See K.G. McAnaney, L.A. Curliss and A.E. Abeyta-Price, From Imprudence to Crime: 
Anti-Stalking Laws, 68 Notre Dame Law Review 819, 821-823 (1993). See also, Amy C. Ra- 
dosevich, Thwarting the Stalker: Are Anti-Stalking Measures Keeping Pace With Today's 
Stalker?, U. TU. L. Rev. 1371, 1377-1380 (2000); and Rebecca K. Lee, Romantic and Elec- 
tronic Stalking in a College Context, 4Wm. & Mary J. of Women & L. 373 (1998). See fur- 
ther, Harry A. Valetk, Mastering the Dark Arts of Cyberspace: A Quest for Sound Internet 
Safety Policies, Stan. Tech. L. Rev. 2 (2004) at Part II; and Catherine E. Smith, Intentional 
Infliction of Emotional Distress: An Old Arrow Targets the New Head of the Hate Hydra, 80 
Denv. U.L. Rev. 1 (2002) 


[18] Anti-stalking legislation is difficult to draft as its nature is imprecise and behaviour that 
is ordinarily normal can become sinister taken in context. See E. Ogilvie, Stalking: Legi- 
slative, Policing and Prosecution Patterns in Australia (Australian Institute of Criminology, 
2000) at page 12. 


[19] See Lorraine Sheridan, What is Stalking? The Match Between Legislation and Public 
Perception, Paper presented at the Stalking: Criminal Justice Responses Conference co- 
nvened by the Australian Institute of Criminology and held in Sydney, 7-8 December 2000. 


[20] For an overview of U.S. State legislation, see Aaron Burstein, Annual Review of Law 
and Technology: III. Cyber Law: B. Cybercrime: A Survey of Cybercrime in the United 
States, 18 Berkeley Tech. L.J. 313, 319 (2003); Kimberly Wingteung Seto, How Should 
Legislation Deal With Children As the Victims and Perpetrators of Cyberstalking?, 9 Car- 
dozo Women's L.J. 67, 80-91 (2002) (“Part V. Current Legislation On Cyberstalking”); and 
Joseph C. Merschman, The Dark Side of the Web: Cyberstalking and the Need For Con- 


179 


temporary Legislation, 24 Harv. Women’s L.J. 255 (2001): 


[21] See Shonah Jefferson and Richard Shafritz, A Survey of Cyberstalking Legislation, 32 
U. West. L.A. L. Rev. 323, 328 (2001); and Keirsten L. Walsh, Comment, Safe and Sound 
at Last? Federalized Anti-Stalking Legislation in the United States and Canada, 14 Dick. 
J. Int’l L. 373, 386 (1996). 


[22] In October 1993, the final summary report of the Project to Develop a Model Anti- 
Stalking Code for States was presented to the National Institute of Justice. The U.S. fede- 
ral government’s Anti-Stalking Code of 1993 legally defines the crime in the following 
manner: “{Stalking is] a knowing, purposeful course of conduct directed at a specific per- 
son that would cause a reasonable person to fear bodily injury or death to himself or her- 
self or a member of his or her immediate family.” 


[23] See Naomi Harlin Goodno, Cyberstalking, a New Crime: Evaluating the Effective- 
ness of Current State and Federal Laws (4 September 2006), bepress Legal Series wor- 
king paper 1689, available at: http://law.bepress.com/expresso/eps/1689/. 


[24] See e.g., the Stalking and Domestic Violence: Report to Congress (2001), available at 
the National Conference of State Legislatures web site at: 
http://www.ncjrs.org/pdffiles 1/ojp/186157.pdf. 


[25] The Interstate Communications Act, 18 U.S.C. § 875(c). 
[26] The Federal Telephone Harassment Statute, 47 U.S.C. § 223. 
[27] The Federal Interstate Stalking Punishment and Prevention Act, 18 U.S.C. § 2261A. 


[28] The landmark case on stalking in the U.K. was the Court of Appeals case of Burris v 
Azadani [1995] 1 WLR 1372. It was that case that first recognised stalking as a tort, and 
an injunction was used to prevent further stalking by the perpetrator. In 1997, the House of 
Lords decided in the cases of R v Burstow & R v Ireland [1997] 3 WLR 534, that stalkers 
who cause psychological injury to their victims can be prosecuted for the criminal offen- 
ces of causing actual bodily harm or grievous bodily harm even if they have not physically 
attacked their victim. See Deepa Bhabutta, Anti-Stalking Legislation, available at: 
http://www. lawgazette.com.sg/2002-2/Feb02-feature2 .htm#f7. 


[29] The PHA created two criminal offences and gave the civil courts the authority to award 
damages and issue injunctions in harassment cases. Section 3(1) of the Act provides for 
civil remedy and damages may be awarded for anxiety and financial loss caused by and re- 
sulting from harassment (section 3(2)). 


[30]See Michael J. Allen, Look Who Stalking: Seeking a Solution to the Problem of Stalking, 
4 Web JCLI (1996), available at: http://webjcli.ncl.ac.uk/1996/issue4/allen4. html. 


[31] See Burnett v George [1992] 1 FLR 525; Pidduck v Molloy [1992] 2 FLR 202); Kho- 
rasandijan v Bush [1993] 3 WLR 476; and Burris v Azadani [1995] 1 WLR 1372. 


[32] See R v Johnson (Anthony Thomas), The Times, May 14, 1996; but contrast it to Mad- 
den [1975] 3 All ER 155. 


[33] E.g. Wilkinson v Downton [1897] 2 QB 57; Burnett v George [1992] 1 FLR 525; and 
Burris v Azadani [1995] 1 WLR 1372. See T. Lawson-Cruttenden , The Final Emergence 
of the Tort of Harassment?, Family Law 625 (1995); and John Murphy, The Emergence of 
Harassment as a Recognised Tort, 143 New LJ 926 (1993). 

[34] E.g. Wilkinson v Downton [1897] 2 QB 57; Burnett v George [1992] 1 FLR 525; and 
Burris v Azadani [1995] 1 WLR 1372. See T. Lawson-Cruttenden , The Final Emergence 
of the Tort of Harassment?, Family Law 625 (1995); and John Murphy, The Emergence of 
Harassment as a Recognised Tort, 143 New LJ 926 (1993). 


[35] For a detailed examination of the legislative history of section 264 of Canada’s Cri- 


180 


minal Code, see Bruce A. MacFarlane, People Who Stalk People, 31 UBC Law Review 37 
(1997). See also, Keirsten L Walsh, Safe and Sound at Last? Federalized Anti-stalking Le- 
gislation in the United States and Canada, 14 Dick. J. Int’l L. 373 (1996). 


[36]The “reckless” standard is higher than that of a “reasonable man” standard. Note that 
fear for safety is probably equivalent to fear of violence or harm (e.g. it can encompass 
fear of sexual assault), but is not as narrow as fear of injury or death. 


[37] In New Zealand, stalking may be addressed to some extent by existing legislation such 
as the Harassment Act of 1997, the Domestic Violence Act of 1995, the Telecommunica- 
tions Act of 2001 and the Crimes Act of 1961. There have not been any test cases on cy- 
berstalking under these pieces of legislation. 


[38] See the Harassment Law web site at: http://www.harassment-law.co.uk/australia.htm. 
See also, Caslon Analytics, Cyberstalking, December 2005, available at: http://www.ca- 
slon.com.au/stalkingnote2.htm#avos, for a brief summary of State enactments on stalking. 


[39] These appear descriptive rather than mandatory and thus have more the effect of illu- 
strations than as prerequisites. The list is not meant to be exhaustive. 


[40] See Daniel Sullivan, A Critical Analysis of Queenslands Cyberstalking Legislation, 
Computers and Law, June 2002, at page 7. 


[41] For an examination of the changes that the Queensland Criminal Code (Stalking) 
Amendment Act of 1999 made to the original section 359A of the Queensland Criminal 
Code Act of 1899, see Sally Kift, Stalking in Queensland: From the Nineties to Y2K, 11 
Bond L.R. 144 (1999). 

[42] Japan’s Law on Proscribing Stalking Behaviour and Assisting Victims of 2000. See 
Nga at Note 2. 

[43] This appears to be a set and exhaustive list; hence, at least one of those activities is re- 
quired as a pre-requisite element to prove stalking. 

[44] The Law Reform Commission of Hong Kong Report (October 2000), at page 5, ava- 
ilable at: http://www.worldlii.org/hk/other/hklre/reports/2000/3/stalk-Chapter-6.html or 
http://www.worldlii.org/cgi-worldlii/disp.pl/hk/other/hkire/reports/2000/3/stalk% 2dChap- 
ter%2d6.html. 

[45] See Parliamentary Debates Singapore Official Report: Tenth Parliament, Part I of First 
Session, Volume 74, 17 May 2002, available at: bttp://www.parliament.gov.sg 

[46] See EFF, The Electronic Frontier: The Challenge of Unlawful Conduct Involving the 
Use of the Internet: A Report of the Presidents Working Group on Unlawful Conduct on the 
Internet, March 2000, available at the EFF web site at: http://www.usdoj.gov/criminal/cy- 
bercrime/unlawful.htm#TECH. 

[47] See e.g., Joanna Lee Mishler, Cyberstalking: Can Communication via the Internet 
Constitute a Credible Threat, and Should an Internet Service Provider Be Liable if it 
Does?, 17 Santa Clara Computer & High Tech. L.J. 115, 115-118 (2000). 

[48] See Joseph C. Merschman, The Dark Side of the Web: Cyberstalking and the Need for 
Contemporary Legislation, 24 Harv.Women’s L.J. 255, 260 (2001). 


[49] See Lamplugh & Infield at Note 2, pages 860-865. 
[50] See Carol E. Jordan, Karen Quinn, Bradley Jordan and Celia R. Daileader, Stalking: 


Cultural, Clinical and Legal Considerations, 38 Brandeis L.J. 513, 578-579 (2000) at pa- 
ragraphs 7 to 9. 


[51] The Council of Europe (CoE) Convention of Cybercrime of 23 November 2001 is 
available at the CoE web site at: http://conventions.coe.int/Treaty/en/Treaties/Html/ 
185.htm. 


181 


Identity Theft and the Gullible Computer User: 
What Sun Tzu in The Art of War Might Teach 


Joseph Savirimuthu 
Lecturer in Law 
Liverpool Law School 
University of Liverpool 
jsaviri@liverpool.ac.uk 


Abstract. Securing trust is now a priority. Identity theft, phish- 
ing and pharming have exposed shortcomings in the criminal law. The 
online environment is now seen as the playground of criminals. Online 
criminal activities pose significant social and economic costs. Appar- 
ently, the Fraud Act 2006 is the instrument that will now neutralise the 
threats posed by phishers and identity thieves. This concept paper is an 
attempt to chart a less tenuous path of claim and counterclaim that often 
rears its head when the subject turns to personal Internet security. Ac- 
cordingly, the paper aims to initiate a debate on how we can begin to 
think about information security and the role of law against the growing 
threats posed by identity thieves and phishing. I draw on the insights of 
Sun Tzu in The Art of War as way of understanding how best we can 
manage and reduce complexity. The debates have all too often focussed 
on liability rules and legal reform. The resulting impasse can be over- 
come if the problem is first of all properly characterised. A balanced pol- 
icy debate requires an understanding of two key matters - “trivergence’ 
and the gullible computer user. The hypothesis is that before we can 
think about regulatory tools to curb practices like phishing an identity 
theft we need a better understanding of the interactions between data, de- 
vices and networks. 


Introduction 


There is a meme — law is an optimal instrument for steering through policies 
in respect of responsible computer use. As broadband penetration increases, 
personal internet security has become a live political issue. The reasons are not 
difficult to fathom. Increased Internet connectivity has led to an explosion of 
economic and social activity. The exponential growth of the Internet has 
brought with it a dark side. Criminals have harnessed new information and 
communication technologies for their own ends. Such is the concern about the 
threats posed by the new wave of criminal activity that the Internet is even 
being seen as a playground for criminals (House of Lords Select Committee on 
Science and Technology, 2007)[1]. This view is underscored by the Internet 
Security Threat Report, issued on 17 September this year, and which describes 


183 


an increase in the use of new communication technologies in the commission 
of identity theft and activities relating to breaching network security systems 
(Symantec, 2007). Phishing is now assuming viral characteristics. 23917 
unique phishing reports were received during July 2007 and the attacks con- 
tinue to increase both in volume and intensity (Anti-Phishing Working Group, 
2007). Securing trust is not an option — it is a necessity. Identity theft, phish- 
ing and its variants have also raised issues in respect of the role, if not the con- 
tinued relevance of law in curbing this social problem. These concerns are 
reasonable - criminal activities transfer onto society significant social and eco- 
nomic costs. As many phishing attacks and security breaches go unreported, 
true estimates of the costs being internalised by society is difficult to ascertain 
(Dutton and Helsper, 2007). This poses an important question about the em- 
phasis placed by legislators on the immunizing properties of the Fraud Act 
2006 — identifying standards of behaviour and norms are useful. Legal com- 
mentators are cautiously optimistic that recent legislative incursions into the 
realm of information security will pay dividends. That said, we are still left 
with the issue of what avenues need to be pursued if securing compliance con- 
tinues to be a problem (Privacy Rights Clearinghouse, 2007). To be sure, the 
testimonies before the Select Committee rehearse longstanding problems re- 
lating to enforcement and raise questions about whether content filtering mech- 
anisms should be used, intermediary and vendor liability and the need to set up 
a centralised and coordinated task force. The Government’s response to the 
Select Committee’s report lacks a proper understanding of the complexities of 
governance in the online environment (UK Government, 2007). It is also un- 
helpful. All these are noteworthy matters but the focus on the issues, which 
continue to be raised, obstructs efforts in undertaking a balanced assessment of 
how best the threat landscape ought to be managed. The high level policy de- 
liberations and examinations of personal internet security appear not to frame 
the problem accurately (Team Cymru, 2006). Internet service providers and 
software manufacturers may have sound commercial reasons for resisting the 
general thrust of the observations made by the Select Committee. We are con- 
sequently left with a mischaracterisation of the problem that can only serve to 
produce policy initiatives that are incoherent, lead to a dialogue of claims and 
counterclaims or result in the status quo being maintained. In the light of the 
Government’s response to the Select Committees, the last observation would 
appear to be true. Accordingly, the paper aims to begin a debate on how we 
could begin to think about information security and the role of law against the 
growing threats posed by identity thieves and phishers. There has been very lit- 
tle by way of discussion on the relationship between the converging multime- 
dia platforms and the management of complexity on the one hand and the 


184 


significance of convergence of data, devices and networks for the continued 
role of the criminal law. To overcome some of the hurdles that often accompany 
attempts to look beyond the steering role of law, I draw on the insights of Sun 
Tzu in The Art of War. A balanced policy debate requires at the very least an 
understanding of two key matters - ‘trivergence’ and the ‘gullible’ computer 
user [2]. The hypothesis is that before we can think about regulatory tools to 
curb practices like phishing and identity theft we need a better understanding 
of the interactions between data, devices and networks. I frame the governance 
challenges posed by identity theft and phishing in terms of warfare and suggest 
a framework that may help us refocus our efforts in developing creative and 
sustainable solutions. That process can only be initiated if we first make clear 
what managing complexity entails — an issue that is obscured by the repeated 
emphasis on the juridicalization of online criminal acts including phishing and 
identity theft. The paper applies ideas from The Art of War to a phishing sce- 
nario, to illustrate the limits of law as an instrument for managing and reduc- 
ing complexity and suggests practical solutions which may help us overcome 
the current impasse regarding personal Internet security. This analysis has three 
implications for current approaches to personal Internet security. First, law 
should not be viewed as the sole or critical instrument for managing risks. Sec- 
ond, pervasive insecurity is the price we pay for increased connectivity. Third, 
when thinking about information security we need creative solutions that re- 
flect emerging realities. As 1.3 billion people become increasingly networked, 
the convergence of data, devices and networks now provides the ‘tipping point’ 
for the centralised institutions for control. Sun Tzu’s The Art of War contains 
some timely reminders about managing ‘trivergence’ and the gullible computer 
user. 


2. The Fraud Act 2006: The Tipping Point? 


The idea that the criminal law be used to maintain order and security is not a 
particularly novel one. Neither, should it be said is the view that the coercive 
machinery of the law be used to compel individuals to internalise acceptable 
social norms and values. What follows is a brief description of the role of law 
in curbing activities like identity theft and phishing. 

The term ‘identity is often used in an arbitrary and imprecise manner 
in popular media and literature (Chawki and Wahab, 2006). Identity theft can 
be viewed as a term of art used to describe activities like the dishonest acqui- 
sition of personal information in order to perpetrate fraud, typically by ob- 
taining credit, loans, etc., in someone else's name. It is arguable that the 
appropriation of an identity of itself will not give rise to a criminal offence [3]. 
Phishing, vishing and pharming on the other hand are more specific in nature. 


185 


These may arise as a result of identity theft but can also be self-contained acts 
[4]. Phishing, for example, is an online activity that uses social engineering 
strategies and technical ploys to gain access to an individuals’ personal iden- 
tity, data and other information. ‘Vishing’ involves criminals sending a spoof 
emails to unsuspecting businesses and individual. Rather than require the in- 
dividual to click on the fraudulent link, the email provides a fraudulent cus- 
tomer services telephone number. Spear phishing on the other hand looks very 
much like an authentic email one expects to receive from an employer, busi- 
ness or organisation. In this type of phishing attack, the recipient may submit 
relevant information like passwords and login information as they assume that 
the request has come from a trusted person within that organisation or business. 

Policymakers view the criminal law as an important instrument for or- 
dering society. There is undoubtedly some justification for the importance 
placed on the criminal law as an instrument for promoting order and the re- 
quirement that individuals internalize a set of social norms and values. Enact- 
ing precise and clear legislation is critical if individuals in society are to adjust 
their behaviour in accordance with the legal rules and standards. Coercion and 
penal sanctions are seen as necessary since order and security have a public in- 
terest dimension. 


2.1 Key Provisions 


Section 1 of the Fraud Act 2006 creates a new general offence of ‘fraud’, which 
can be committed in three ways: by false representation (s2); by failing to dis- 
close information (s3); and by abuse of position (s4). Section 2, with which 
we are primarily concerned here, provides as follows: 

‘ (1) A person is in breach of this section if he— 

(a) dishonestly makes a false representation, and 

(b) intends, by making the representation— 

(i) to make a gain for himself or another, or 

(ii) to cause loss to another or to expose another to a risk of loss. 

(2) A representation is false if— 

(a) it is untrue or misleading, and 

(b) the person making it knows that it is, or might be, untrue or misleading.’ 


Liability for the actus reus of the section 2 offence will be established without 
more where the phisher makes a false representation. For example, an email 
purporting to come from a trusted source like an online bank, organisation or 
employer will be regarded false as it is untrue or misleading (s2(2)(a)). Section 
2(3)(4) respectively state that a representation will include: 


186 


‘(3) any representation as to fact or law, including a representation as to the 
state of mind of— 

(a) the person making the representation, or 

(b) any other person. 

(4) A representation may be express or implied. 

(5) For the purposes of this section a representation may be regarded as made 
if it (or anything implying it) is submitted in any form to any system or device 
designed to receive, convey or respond to communications (with or without 
human intervention).’ 

In short, the elements of the actus reus in a phishing act will be found 
to be present when the initial email requesting the recipient to access a given 
website is received. The email constitutes an implied representation that it is 
from a legitimate source and which is false. With respect to mens rea require- 
ments for section 2, the first element that must be proved by the prosecution is 
that the phisher made the representation dishonestly. This is not defined by the 
2006 Act, and consequently remains a question of fact for the jury to deter- 
mine.( See R v Ghosh [1982] QB 1053) The second element to be proved is 
that the phisher must know that his representation is or might be untrue or mis- 
leading (s2(2)(b)). Third, the phisher must intend, by the false representation 
to make a gain for himself or another, or to cause loss to another or to expose 
another to a risk of loss. It is important to be clear that section 5 provides that 
both these elements extend only to gain or loss in money or other property; 
and include any such gain or loss whether temporary or permanent. Property 
here can now be said to cover any property whether real or personal (includ- 
ing things in action and other intangible property). “Gain” includes a gain by 
keeping what one has, as well as a gain by getting what one does not have. 
“Loss” includes a loss by not getting what one might get, as well as a loss by 
parting with what one has. The impression one gleans from an examination of 
the broad definition of the section 2 offence is that it is technologically neutral. 
Given that phishers have sophisticated technological skills and use innovative 
technological instruments for social engineering, it is important that the legal 
rules anticipate new forms of subterfuge. The 2006 Act does not only cover 
phishers and those engaged in the criminal acts of social engineering or iden- 
tity theft. Persons who have in their possession or under their control any arti- 
cle for use in the course of or in connection with any fraud can now be 
prosecuted under the 2006 Act (s6(1)). Furthermore, any person who makes, 
adapts, supplies or offers to supply any article for use with the activities cov- 
ered by section 1(2) will be regarded as having committed an offence. The 
2006 Act would also appear to make prosecution of phishers and suppliers of 
rootkits or related technology much easier. Prosecution needs to show that the 


187 


person knew that the article was designed or adapted for use in the course of 
or in connection with fraud, or intended it to be used to commit, or assist in the 
commission of fraud. 


Pervasive Insecurity 


The Home Office minister, Gerry Sutcliffe regards the 2006 Act as making an 
important contribution to the fight against fraud (Out-law.com, 2006). His ob- 
servation corresponds with the general thrust of the 2006 Act - the removal of 
the deficiencies in the previous regime on fraud and the incorporation of prin- 
ciples which conform with the concept of technological neutrality. This is un- 
doubtedly a step in the right direction. If the criminal law is to be utilised 
effectively, procedural or technical obstacles must not be permitted to obstruct 
the prosecution of online fraudster. For example, it should not be open to a phi- 
sher prosecuted under this legislation to claim that he was deceiving the com- 
puter or that the intended victim did not read the spoof email. The 2006 Act 
makes clear the types of conduct, which will now be prohibited. Bainbridge 
(2007) observes that the legislation “extends the offence of fraudulent trading 
to sole traders and others not previously caught by the Companies Act. Al- 
though of wider application, the Fraud Act 2006 has significantly improved 
the ability of the criminal law to deal with computer fraud, including tackling 
‘phishing’, that is, obtaining information such as a person’s bank account de- 
tails by sending an e-mail purporting to be from that person’s bank” (p. 276). 

We can conclude that the criminal law has an important standard setting 
role in this context. Unequivocal rules and norms provide a benchmark, which 
can in turn be used to determine the boundaries of permissible behaviour and 
penalise those who do not comply. That said there is very little consensus on 
whether legal reform and more generally the criminal law actually deter 
prospective phishers or identity thieves. It may be the case that an ineffective 
law is better than no law. We should not however underestimate the signifi- 
cance of the deep-seated concerns regarding the ability of the State to deter 
online criminal activity. How can a centralised model of control and coercion 
secure compliance in an environment free of traditional barriers to criminal 
activity? Effective policing of the online environment is heavily reliant on ac- 
cess to scarce resources. The police and specialised agencies dealing with se- 
rious organised crime are also hindered by the fact that they lack technological 
skills and hardware. Phishing and related online fraudulent scams thrive on the 
fact that computers view packets of information are viewed as authentic sig- 
nals. Digitalisation of information in a highly networked environment com- 
pounds the problem of policing and enforcement. To this we can add the 
problems of information asymmetry and market failure in providing the nec- 


188 


essary correctives to the criminal law. Shortcomings in “human systems” and 
vulnerabilities in protocols provide attackers with another exploit venue. Re- 
cently hackers, exploited server vulnerabilities in Monster.com, and acquired. 
personal and financial information of approximately 1.3 million job seekers 
[5]. KPMG Forensic's Fraud Barometer has also reported that fraud levels in 
the UK are increasing dramatically [6]. Fraud levels rose to their highest level 
in 10 years in 2005, to £900m that year. As society, businesses and organisa- 
tions become increasingly networked, it is apparent that the criminal law can- 
not by itself anticipate the evolving threat landscape or compensate for failures 
in soft systems. Anderson regards the problem of information security as one 
of misplaced incentives (Anderson and Moore, 2007). He suggests that inter- 
mediaries like software vendors and Internet service providers should be held 
liable for buffer overflows, and other software vulnerabilities that could have 
been detected. Legal instruments like contract and tort could be used to over- 
come the problems of market failure (Cert Advisory, 2003). There is very lit- 
tle information in the public domain to assist us in forming a view on why we 
have seen little or no litigation activity involving software vendors and Inter- 
net service providers. The other rationale for holding these entities, apart from 
the fact that the have access to key resources is that computer user to deal with 
emerging security threats (Bruce Schneier, 2007). Others have suggested that 
the sanctions imposed by the criminal law on online fraudsters should be in- 
creased to provide effective deterrence. There is some mileage in each of these 
proposals and it remains to be seen whether the Judiciary or Parliament will be 
the driving force for implementing these ideas or whether the current status 
quo will be tolerated. What is particularly interesting when thinking about the 
Government’s response to the Select Committee’s report is that policymakers 
appear not to focussed on the specific concerns raised (Select Committee, 
2007). To be sure, commentators like Schneier and Anderson touch upon an 
issue that is often obscured by legal commentators and policymakers (Schne- 
ier, 2007): how can we manage and reduce complexity when data is transmit- 
ted across networks, applications and devices? Implicit in this question is the 
assumption that the computer and by extension the network is as a trusted sys- 
tem. Anderson seems to have picked on this point. He (2001) observes that 
“[a] typical security system consists of a number of principals such as people, 
companies, computers, and magnetic card readers, which communicate using 
a variety of channels including phones, email, radio, infrared, and by carrying 
data on physical devices such as bank cards and transport tickets. The security 
protocols are the rules that govern these communications. They are typically 
designed so that the system will survive malicious acts such as people telling 
lies on the phone, hostile governments jamming radio, or forgers altering the 


189 


data on train tickets. Protection against all possible attacks is often too expen- 
sive, so protocols are typically designed under certain assumptions about the 
threats ” (p.13). 

The assumption of trusted systems needs to be re-examined (Gordon 
and Loeb, 2002). The idea of misplaced incentives is a sophisticated attempt 
to understand rational decision-making processes of “attackers” and “victims”. 
This point is underscored by the recognition that many software manufactur- 
ers and businesses do not attach sufficient importance to information security. 
Clayton and Moore (2007) view “`‘take-down' as a reactive strategy, an in- 
creasingly prevalent trend in the way that security issues are being handled. 
Software vendors wait for vulnerabilities to be discovered and then issue 
patches. Anti-virus tools update their databases with new signatures as new 
viruses are identified. In these reactive approaches, the defenders aim to iden- 
tify the bad guys as quickly as possible to minimise exposure, while the bad 
guys scramble to open new holes at a sufficiently fast rate to continue their ac- 
tivities.” 

There is a clear issue here as to whether the continued bias of the law to- 
wards software vendors and intermediaries can be defended [7]. It is not the 
aim of the paper to explore the normative issues raised. Consequently, the re- 
mainder of the article provides a framework for addressing the following ques- 
tion: If the computer and networks cease to be trusted systems, what strategies 
can we adopt which is both efficient and sustainable? This is a fundamental 
issue that goes to the core of the Select Committee’s recommendations and 
which the Government’s response does not adequately address. The layered 
network system makes identification and monitoring by the law problematic — 
this is a critical aspect in managing the threat landscape. Whilst traditional 
email exchanges provide information of the sender and recipient, in many phi- 
shing attacks, the websites used for the attack are frequently changed or loca- 
ted on servers outside the jurisdiction of law enforcement authorities. The key 
point here is that if we are to better understand how complexity can be both 
managed and reduced we need to have a clearer idea of the significance of the 
interaction between data, devices and networks in a decentralised and distrib- 
uted computing environment. To conclude, we cannot focus merely on the 
Fraud Act 2006 but need to think about managing complexity when users in- 
teract with data, devices and networks. Identity theft or phishing is not a pro- 
blem that “technology” or “law” can solve — it is a problem about finding a 
strategy to better manage complex network systems where trust is frequently 
breached. More crucially, given that many computer users are not computer 
scientists how should policymakers code rules that anticipate the gullible com- 
puter user? 


190 


3. Sun Tzu and The Art of War 


How do ideas regarding the successful prosecution of armed conflicts lend 
themselves to the challenges posed by identity theft and phishing? Strategic 
thinking and planning in armed conflicts can be seen as a tool for managing 
complexity, risks and uncertainty. Phishers and identity thieves introduce com- 
plexity into trusted systems and architecture. Risk and uncertainty are the corol- 
lary of complexity. Business goodwill and enterprise is conditional on trust 
being maintained. Consumer’s use of the online services is dependent on their 
trust in the integrity of network systems. Security breaches and online fraud 
serve to erode trust. The converse here is that costs have to be incurred by le- 
gitimate online users. Military generals have long been aware of the dire con- 
sequences that follow if an enemy is able to externalise the costs of its activities 
onto its opponent. The terrain, climatic conditions and free flow of information 
can often pose unexpected problems and challenges. In The Art of War, Sun 
Tzu configures data, technology and control into the complex battlespace. 
What follows is a general exposition of his noteworthy observations [8]. 


3.1 The Art of War: A Primer 


One school of thought in military warfare is that an enemy can be overcome 
by the sheer might and superiority of an army’s firepower. Clausewitz’s stra- 
tegy of rapid dominance is sometimes seen as a proponent of this approach 
(Clausewitz, 1976). The strategy of overwhelming force may be useful if armed 
conflict takes place, for example, in an open battlefield but less so where the 
terrain or climatic conditions are varied. According to Sun Tzu, the prosecution 
of war should be underpinned by sound understanding of three main aspects: 
the threat landscape, the motivations of the enemy and an assessment of the 
strengths and weaknesses of both armies (Griffiths, 1963). Decision-making 
must be informed by ‘five fundamental factors’. These can be summed up as 
requiring a moral and coherent framework of planning that is rooted in the pre- 
vailing geographical and climatic conditions. Strategic planning, according to 
Sun Tzu is not a science. Accordingly, a General must integrate the ‘seven ele- 
ments’ into the decision making process. These involve an evaluation of time, 
space and distance and a proper assessment of the risks of success or failure. 
Sun Tzu’s characterization of war as art is a reminder of the need for continu- 
ous assessment of the conditions in the theatre of warfare and to adapt the 
strategies accordingly. The Art of War cannot be separated from its historical 
context. Around 500 BC, feudal conflicts involved the expenditure of vast num- 
bers of manpower and total annihilation of the enemy was seen as key. Sun 


191 





Tzu was adept in recognizing the need for deploying strategies that were effi- 
cient and sustainable. This can be seen in his belief that the “Elements of the 
new armies, capable of co-ordinated movement in accordance with detailed 
plans, were responsive to systematic signals. The science (or art) of tactics was 
born. The enemy, engaged by the cheng (orthodox) force, was defeated by the 
ch’i (unorthodox, unique, rare, wonderful) force, or forces; the normal pattern 
was a holding or fixing effort by the cheng while ch ’7i groups attacked the deep 
flanks and rear (Griffiths, 1963 pp. 34-35)”. 

When organizing the logistics Sun Tzu urges the General to master the 
art of deception and exploit the weaknesses of the enemy. He also suggests 
that it is best to remove the opportunities for attack by creating sound defen- 
ces — the idea that an enemy cannot attack if there are defences may seem co- 
unterintuitive and even reactive. Sun Tzu’s point here is a deeper one — remove 
the incentives for attack by creating effective defenses. 


From The Art of War to Coding for Complexity 


Let us summarise the parallels between the threat landscape in online and of- 
fline environments before exploring the practical reach of Sun Tzu’s claim that 
the removal of incentives can lead to a reduction of attacks. The theme of war- 
fare is also appropriate to changing dynamics of control that previously defi- 
ned the relations between the State and individuals. Arquilla and Ronfeldt 
(1997) point out that “[I]nformation, in all its dimensions, will enhance both 
the destructive and the disruptive capabilities of small units for all the services; 
in an information-age ‘battlespace’, massed forces will simply form juicy tar- 
gets for small, smart attackers. In the new epoch, decisive duels for the control 
of information flows will take the place of drawn-out battles of attrition or an- 
nihilation; the requirement of destroy will recede as the ability to disrupt is en- 
hanced” (p.2). 

Free flow of information can assist both the army and its enemy. The 
challenge for the protagonists in both online and offline contexts is the same — 
managing the convergence of data, network infrastructures and devices. The 
threat landscape can be likened to a digital panopticon where the attacker has 
the advantage of identifying the time, frequency and place of attack. Accor- 
dingly, legitimate computer users and organisations have to assume the burdens 
resulting from a criminal’s ability to leverage interconnectivity, mobility, ine- 
xpensive communication technologies. Indeed, social engineering techniques 
like phishing correspond very much with the tenets in The Art of War. As the 
Anti-Phishing Working Group indicates, “[s]ocial-engineering schemes use 
‘spoofed! e-mails to lead consumers to counterfeit websites designed to trick re- 
cipients into divulging financial data such as account usernames and pas- 


192 


swords. Hijacking brand names of banks, e-retailers and credit card compa- 
nies, phishers often convince recipients to respond. Technical subterfuge sche- 
mes plant crimeware onto PCs to steal credentials directly, often using key 
logging systems to intercept consumers online account user names and pas- 
swords, and to corrupt local and remote navigational infrastructures to misdi- 
rect consumers to counterfeit websites and to authentic websites through 
phisher-controlled proxies that can be used to monitor and intercept consu- 
mers’ keystrokes” (2007). 

Sun Tzu insights can help us in going beyond the constraints that juri- 
dicalization of social problems appear to pose. Indeed, the problems identified 
by Sun Tzu have contemporary equivalents: misplaced incentives, informa- 
tion asymmetry and market failures. Or in Cyberlaw, the four modalities: law, 
technology, market and norms. It is Sun Tzu’s understanding of the nuances of 
warfare, goal definition and the need to undertake fresh consideration of the 
strengths and weaknesses of the respective armies that provides us with a pun- 
gent example of how we can begin to think seriously personal Internet secu- 
rity. In short, governance is a problem rooted in managing complexity. 


3.3 Coding For Security 


I focus on one key challenge — to reduce the avenues for exploitation by phi- 
shers through design solutions which replicate prudent decision making pro- 
cesses. This is not a task that is ahead of its time. Benkler (2006) reminds us 
that we “live in a technological context in which a tremendous amount of ex- 
cess capacity of the basic building blocks of our information and communica- 
tion infrastructure is widely deployed...Harnessing this excess capacity to 
create such a survivable infrastructure will likely be done most effectively, not 
through improving the ability to price these resources, but through improving 
the conditions for social sharing and exchange of the excess capacity users 
own. If we invest our policy efforts in hardening our systems to attack instead 
of rendering them survivable, if we ignore in our institutional design choices 
the effects on price-based markets and enterprise organization, we will lose a 
significant opportunity to improve the survivability of our information systems 
at relatively low cost and with minimal bureaucratic intervention” (p.75). 
Benkler’s point, echoes of Sun Tzu’s emphasis on making the enemy 
externalise the costs of his activities through creative use of all available re- 
sources. To put it differently, as convergence creates a digital panopticon, on- 
going reinforcement expenditure in the form of “digital locks” is unlikely to be 
a viable and sustainable enterprise. It is now becoming apparent that most 
phishing attacks are launched by organised criminal gangs and highly sophis- 
ticated computer users. From the perspective of the attacker, the benefits to be 


193 


derived and the scale of the attacks is in inverse ratio to the likelihood of de- 
tection and capture. Networks and computer systems have been shown to be 
vulnerable to system exploits in the form of buffer overflows. System flaws can 
be detected by attackers remotely and escape detection. Phishers now send 
spoof emails from zombie networks of home computers or use anoymising 
systems like the Onion routing system. Keyloggers allow identity thieves to 
eavesdrop into communications conducted over networks. Spoof emails exploit 
the vulnerability inherent human trusted systems. The result of such techni- 
ques is that monitoring, detection and capture become difficult. 

Let us test the value of the The Art of War and in particular, assess whe- 
ther it generates additional insights in respect of personal Internet security? 
Consider as an example a phishing attack on a bank in Liverpool. A victim re- 
ceives a phishing email purporting to come from a trusted party — Tsing Chao 
Banking Corporation. This email has a link to a fraudulent website. The attac- 
ker leverages the resources of the trusted system into tricking the unsuspecting 
individual into thinking that the Bank initiated the communication. Assume 
that the victim responds to the spoof email. The phisher now gains access to a 
range of information, which includes personal data, usernames and passwords 
and financial information. Coding for security is about managing convergence. 
Andrew Zimmerman has suggested that the new dynamics of engagement re- 
volve around the convergence of networks, data and devices. Zimmerman’s 
observation corresponds very much with Sun Tzu’s view that planning and de- 
ployment efforts cannot be dissociated from the architectural landscape. Sun 
Tzu’s insights are instructive as they draw attention to three features that cha- 
racterize the management of complexity in the age of ‘trivergence’. First, we 
need to better understand the reasons victims falls prey to social engineering 
techniques. Second, the decentralised communications infrastructure will pre- 
scribe the trade-offs and options that need to be brought to bear in respect of 
managing complexity. Third, technology, economic and social processes must 
be viewed as part of a broader governance strategy that includes, information 
gathering, standard setting and behaviour modification (Hood, Rothstein and 
Baldwin, 2001). These three features remind us that law is a crude instrument 
through which “end-to-end” relationships of trust can be sustained. Coding re- 
sponsive security protocols may however provide us a strategy for creating di- 
sincentives for phishers and identity thieves. The benefits in adopting this 
measure is not to be underestimated. Failures in ‘human systems’ lay at the 
root of the security breaches in Monster.com. Attackers used the Infostealer, 
Monstres Trojan to exploit Monster.com’s database. The attackers gained ac- 
cess to the resume database using legitimate usernames and passwords of em- 
ployers and human resource personnel’s accounts. Spoof emails sent to 


194 


Monster.com’s clients were designed to look like an authentic email from the 
company. According to Dun and Bradstreet, identity theft fraudsters are turning 
their attention to social networking sites (Dun & Bradstreet, 2007). Sophos, 
the IT and Security corporation recently conducted a Facebook ID probe and 
discovered the ease with which information and identity theft takes place on so- 
cial networking sites. It will be apparent here that an attacker needs to access 
only a few portals of information to recoup the dividends of his actions glo- 
bally. 

The ubiquitous computing environment, as reflected in the convergence 
of data, devices and networks, opens up possible design solutions. Sun Tzu re- 
minds us that trust is socially constructed and managing complexity is an im- 
portant part of the construction process. To date, we have assumed that the 
computer is a trusted system and that the ‘end-to-end’ architecture is somehow 
outside the boundaries of law. The focus on functionality of software creates a 
tradeoff between convenience and security. The values and priorities implicit 
in the balancing process needs to be reassessed. If principles of coding are to 
be reassessed what shape might they take? I suggest that the answer revolves 
around the axis of four key norms: (i) coding for trust through increased au- 
thentication; (ii) coding for “human failure”; (iii) coding as reaction to “bad 
code”; and (iv) coding as scientific communications. We need to ‘couple’ law 
with other regulatory tools. Rather than introduce legal reforms or regulations 
we could perhaps incentivise organisations to develop and sustain scientific 
and educational developments in this area. Technological solutions may bea 
positive response to overcoming the deficits in trusted computing systems and 
human failures. There is some evidence that the market is already aware of the 
need to bridge the trust deficit. VeriSign, for example, provides intrusion de- 
tection, threat scanning and patch implementation functions. Google, curren- 
tly use web-crawlers to identify infected web pages. Exploit Labs, for example 
provide a LinkScanner functionality. Website owners can install a malicious 
content scanner on their site. Visitors to the site can type or paste a URL into 
the LinkScanner text box and will know whether the web page is safe. If the 
link has potential malware binaries, the visitor will be informed of this. Orga- 
nisations in the public and private sector are using education as a means to pro- 
mote responsible risk behaviour. ISPs are beginning to educate subscribers and 
users on the importance of safe browsing. This initiative is an important re- 
sponse to malware writers increasingly targeting instant messaging and peer- 
to-peer networks as potential vectors for distribution of viruses and worms. 
Equally, commercial and non-commercial organisations now make available 
“safety packages” as part of their subscription, with regular information about 
security issues and updates for browsers, plugins, applications and operating 


195 


systems. For example, the Mozilla Foundation now makes phishing protection 
available on a non-commercial basis. Visitors to the site are provided with a test 
site to see if the phishing protection facility on their system has been enabled. 
Microsoft also provides a range of information seeking to educate users on the 
type of phishing hoaxes. These initiatives aim to provide a counterpoint to the 
methods employed by phishers and identity thieves in abusing trust. Recall 
how phishers use social engineering techniques to breach traditional perime- 
ter and end point controls in anti-virus or anti-spyware products. Technology 
that mirror ‘prudent behavioral norms’ help minimise the threat consequences 
posed by the “gullible” human. The design solution here is the overriding of de- 
cision-making processes that lead to risk exposure. Real time protection and 
monitoring of application-level traffic will operate independently of the human 
computer user. Coding for security can be extended to developing software 
products that enable the identity of websites to be authenticated. Such software 
will enable end users to determine whether the website they are visiting or ac- 
cessed via an email link is a trusted site. The process of authentication is fairly 
straightforward. The user needs only to place the mouse over a logo or image 
and the verification software will highlight the trust credentials of the site. 
BankSafe have a commercial product that encodes “risk management” norms 
into its anti-phishing software. This software runs on Windows applications 
and provides real time protection. It scans web pages visited by the end user. 
For example, when the user visits a malware vector that steal passwords and 
usernames, the browser is instantly shut down. The software also provides an 
early warning detection facility when phishing emails arrive into the inbox or 
fake DNS entries detected. 


4. Conclusion 


The Government’s response to the report issued by the Select Committee un- 
derscores the premise of this paper — ‘trivergence’ conceals a paradox that law 
and politicians may be incapable of resolving. Indeed, the threat landscape is 
far more complex than the Government’s response implies. This paper has pro- 
posed a way of thinking about managing complexity and what that entails in 
tangible terms. Limitations of space mean that some of the emerging informa- 
tion security problems in social networking sites or from increased conver- 
gence have not been examined in great detail. Cyberlawyers steeped in the idea 
that law has the ‘right answers’ may be disappointed in the thrust of the argu- 
ments offered. Policymakers who start from the premise that absolute security 
is attainable may react in a similar fashion. The distinguished members of the 
Select Committee should be congratulated for placing personal information 


196 


security on the public platform and the testimonies of Schneier and Anderson 
deserve greater examination. In keeping with the general thrust of providing a 
balanced policy analysis I focused on the benefits of coding security norms. 
This is an avenue for delivering efficient, accessible and sustainable design so- 
lutions. Effective governance is not merely a matter of deterrence, it also re- 
quires an understanding of complexity and an examination of how best issues 
of functionality, convenience and security are to be negotiated. Functionality 
and convenience are not necessarily compatible with security considerations. 
As design solutions are increasingly embedded into networks and devices, se- 
curity norms can be engineered into default protocols. The proposals offered 
by Anderson and Schneier in shifting the cultural mindset of software vendors 
and manufactures merit serious consideration. Re-thinking design principles 
may be a way forward — there is emerging evidence in the market that this is 
not a Panglossian exercise. It may be that as consumers of security, we may like 
Sun Tzu, have to make choices. The difficult choice here, and which is one of 
the enduring insights from The Art of War is this: what is the price to be paid 
for continuing to enjoy the benefits provided by the Internet whilst mindful 
that deviants have always sought to destroy value and create chaos? Informa- 
tion security is more than science — design solutions should not be underesti- 
mated. But neither should we forget, managing complexity is an art. 


Notes 


[1] Hereinafter Select Committee. 


[2] See generally the idea of trivergence in Andrew Zimmerman’s blog. Retrieved No- 
vember 5, 2007, from http://www.accenture.com/Global/Accenture_Blogs/Triver- 
gence Blog/default.htm. Also reference can be made to http://www.accenture.com/NR/ 
rdonlyres/2F69B741-A4DA-4ADE-A71E-32043B007B75/ O/edge.pdf. Retrieved Novem- 
ber 5, 2007. 

[3] See Memorandum from the Society for Computers and Law—Internet Interest Group 
and Privacy and Data Protection Interest Group paragraph 5. Retrieved November 5, 2007, 
from _http://www.publications.parliament.uk/pa/1d200607/ Idselect/Idsctech/165/7012 
406. htm. 

[4] See generally information at http://www.microsoft.com/protect/yourself/phishing/. 

[5] See http://help.monster.cony/besafe/. 

[6] See http://www.kpmg.co.uk/news/detail.cfm?pr=2913. Retrieved on November 5, 2007. 
[7] https://www.kb.cert.org/vuls/id/635463. Retrieved on November 5, 2007. Also the US 
ruling L Pisciotta and D Mills v Old National Bancorp US Court of Appeals for the Sev- 
enth Circuit No 06-3187 http://blog. wired.com/27bstroke6/files/5W 1FFXPR.pdf. Retrieved 
on November 5, 2007. 

[8] The account on Sun Tzu synthesizes the information from Griffith, S.B. (1963). Sun Tzu: 
The Art of War. Oxford: Clarendon Press. Bartley, C (2005). The Art of Terrorism: What 
Sun Tzu Can Teach Us About International Terrorism. Comparative Strategy Volume 24, 
235-51. 


197 


Reference (Selected) 


1. 


10. 


11. 


17. 


19. 


Anti-Phishing Working Group Report (2007) Retrieved 8 November 2007, 
http://www.antiphishing.org/reports/apwg_report , july_2007.pdf 

Anderson, R. (2001). Security Engineering: A Guide to Building Dependable Dis- 
tributed Systems. London: John Wiley. 

Anderson, R. & Moore, T. (2006). Information Security Economics and Beyond. Re- 
trieved November 5, 2007, from http://www.cl.cam.ac.uk/~rja14/Papers/ 
econ_crypto.pdf 

Arquilla, J. & Ronfeldt, D. (1997). A New Epoch — And Spectrum — of Conflict. In J 
Arquilla & D Rondfeldt, (Eds.), In Athena’s Camp: Preparing for Conflict in the In- 
formation Age. US: Rand. 

Bainbridge, D. (2007). Criminal law tackles computer fraud and misuse. Computer 
Law & Security Report. Volume 23, 276-281. 

Benkler, Y. Peer Production of Survivable Critical Infrastructures. In M. Grady and 
F. Parisi (Eds.), The Law and Economics of Cybersecurity. US: Cambridge. 

Cert Advisory (2003). CA-2003-16, Buffer Overflow in Microsoft RPC. Retrieved 
from http://www.cert.org/advisories/CA-2003-16.html 

Chawki, M. & Wahab, M. (2006). Identity Theft in Cyberspace: Issues and Solutions. 
Lex Electronica Volume 11, (Issue 1), 1-41. Retrieved July 10, 2007, from 
http://www.lex-electronica.org/articles/v11-1/chawki_abdel-wahab.htm. 

Clausewitz, C.V. (1976). On War. In M Howard and P Paret (Ed. and Transl). Oxford: 
Princeton UP. 

Dun & Bradstreet. (2007). Social Networkers at Risk of Identity Theft. Press Release 
August 8. 

Retrieved on November 6, 2007, from http://www.scoop.co.nz/stories/print.html? 
path=BU0708/S00580.htm 

Dutton, W. and Helsper, E. (2007). The Internet In Britain 2007. Oxford: Oxford In- 
ternet Survey. 

Gordon, L. & Loeb, M. (2002).The economics of information security investment”. 
ACM Transactions on Information and System Security Volume 5 (Issue 4), 438-457. 
Hood, C. Rothstein, H. & Baldwin, R. (2001). The Government of Risk. Oxford:OUP 
(pp.4-35). 

House of Lords Select Committee on Science and Technology. (2007). Personal In- 
ternet Security (HL Paper 165 — I). (London: Stationary Office). 

Moore, T & Clayton, R. (2007). An Empirical Analysis of the Current State of Phish- 
ing Attack and Defence. Workshop on the Economics of Information Security. Re- 
trieved November 1, 2007, from http://weis2007.econinfosec.org/papers/5 1 .pdf. 
Out-law.com. (2006). Prison term for phishing fraudsters. The Register, 14 Novem- 
ber, 2006. Retrieved November 8, 2007, from 
http://www. theregister.co.uk/2006/11/14/fraud_act_outlaws | phishing/ 

Privacy Rights Clearing House, (2007). A Chronology of Data Breaches. Retrieved 
November 7, 2007, from http://www.privacyrights.org/ar/ChronDataBreaches.htm. 
Science and Technology Committee Session 2006-07 HL Paper 165, Personal Inter- 
net Security. 


198 


20. 


21. 


22. 
23. 


24. 


Schneier, B. (2007). Minutes of Evidence before the Select Committee on Science and 
Technology, February 21, 2007. Retrieved November 7, 2007, from http://www.pub- 
lications.parliament.uk/pa/Id/lduncorr/s&tii210207a.pdf. 


Sophos Plc.(2007). Sophos Facebook ID probe shows 41% of users happy to reveal 
all to potential identity thieves. Retrieved November 7, 2007, from 
http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html 

Symantec Plc.(2007). Internet Security Threat Report, Volume XII 


Team Cymru (2006). The underground economy:priceless. Retrieved November 8, 
2007, from http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf 


UK Government. (2007). The Government’s Reply To The Fifth Report From the 
House of Lords 


199 






































t 





New Phishes in the Pond: A Wake up Call for China in 
the Context of Management of Computer Crime 


Shalini Kesar 
Professor of Information Systems Security, Department of Computer Science 
& Information Systems, College of Computing, Integrated Engineering and 
Technology, 
Southern Utah University, Cedar City, Utah. 
Skesar2@gmail.com 


Abstract: This paper provides an insight into the management 
of computer crime in the context of China. Given that China, like other 
countries, face the increasing problem of computer crime, it is prudent 
that the Chinese government understand that managing computer crime 
cannot alone be dealt with technical controls such as firewalls. In pre- 
senting this argument, this paper reflects how China should learn les- 
sons from other countries and focus on addressing both technical and 
social issues when managing such illicit acts. 


Keywords: Computer crime, China, Information security, Technical and social issues 
of Information technology. 


1. Introduction 


This paper started with a general interest in the increasing problem of com- 
puter related crime in China. It is estimated that countries like China will ex- 
ceed the number of Internet users than in the United States by the year 2010. 
Further, well recognized reports such Computer Security Institute and Federal 
of Investigation (CSI/FBI) Surveys state that China is one of the most common 
countries of origin for computer related crime where intrusion attempts from 
outside the organizations (see CSI/FBI 2005). Interestingly, if the Chinese do- 
mestic Information Technology (IT) market continues to grow in conducting 
joint ventures with other countries, China will indeed be of no exception to 
face the increasing threats from computer crime. Given that China constitutes 
a large population and a growing IT sector, it can be argued that China per- 
haps it will be at a even greater threat to such crimes than what is it now. 
Against this backdrop, this paper argues that countries like China, when 
trying to manage computer crime, need to focus on both technical and social 
issues associated with IT. This is because focusing on the technical measures 
only provides a partial solution to managing computer crime. Given that nu- 
merous annual reports and studies on computer crime are eager to propagate 


201 


the idea that such illicit acts are predominantly the result of disregard for basic 
security strengthens the argument in presented in this paper. Increasing so- 
phistication of employees and the kind of information they require for their 
daily activities within the workplace implies that it is no longer possible to 
maintain effective security by technical controls (see Audit Commission 2001; 
Croall, 2001; Kesar 2005). Further, information security researchers and prac- 
titioners comment that opportunities for computer crime may well be spread 
within an organization where different responses arise from work pressures 
and working conditions conducive computer crime (for example, see Croall 
2001; Kesar and Rogerson 1998; Kesar 2005). 

This paper is divided into four sections. After a brief introduction, section 
2 highlights the growing problem of computer crime followed by a discussion 
on the underlying causes of such acts and the uniqueness of computer crime. 
Section 3 discusses computer crime in the context of China. It discusses the in- 
creasing usage of the Internet in China followed by the increasing problem of 
computer crime in China and the challenges the Chinese government may face 
with regard to managing such illicit acts. It also presents a discussion on how 
China can learn lessons from other countries. Finally, section 5 presents a con- 
clusion. 


2. Growing Problem of Computer Crime 


In general, computer crime is defined as a deliberate misappropriation by which 
an employee tries to gain unauthorized access to the organization’s information 
systems. The misappropriation itself may be opportunistic, pressured, or a sin- 
gle-minded, calculated plan. Audit Commission Report (2001), broadly defi- 
nes computer crime by categorizing into various illicit acts such as fraud; theft; 
use of illicit software; invasions of privacy; hacking; sabotage and virus. Some 
researchers believe computer crime is simply another form of what researchers 
earlier termed ‘white-collar crime’, older forms of deviance and crime ‘reto- 
oled’ for the computer age (see Hollinger, 1997). In 1949, Sutherland defined 
white-collar crime to include employees of respectability and high social sta- 
tus in the workplace. With the advent of IT, new types of computer related 
crime involves deception designed to steal your valuable personal data, such 
as credit card numbers, passwords, account data, or other information have 
emerged. Such types of computer related illicit activities include identify theft 
and phishing. The term “Cyber Crime” on the other hand, describes criminal 
activities committed through the use of electronic communications media. One 
of the greatest concerns is with regard to cyber-fraud and identity theft through 
such methods as phishing, spoofing and through the abuse of online surveil- 
lance technology. 


202 


2.1 Underlying Causes of Computer Crime 


There are various theories regarding the complex nature of computer crime, 
particularly occurring within the organization. On the one hand, researchers 
attribute personal reasons as the main cause of computer crime. On the other 
hand, studies link computer related crime with business success (Box, 1983). 
However, evidence to suggest that all offenders who engage in intentional il- 
licit activities within organizations are ‘bad people’, is an assumption that can 
be challenged (Punch 1996). This is because the relationships between indi- 
vidual, organisational and sociological factors also play an important part in the 
occurrence of computer fraud. Schrager and Short (1997) summaries this well: 


“Preoccupation with individuals can lead us to underestimate the pres- 
sures with society and organizational structures which impel those indi- 
viduals to commit illegal acts...recognizing that structural forces 
influence the commission of these offences does not negate the impor- 
tance of interaction between individuals and these forces, nor does it 
deny that individuals are involved in the commission of illegal organi- 
zational acts. It serves to emphasize organizational as opposed to indi- 
vidual etiological factors, and calls for a macro sociological rather than 
an individual level of explanation” [pg 85]. 


In trying to understand the complex nature of computer crime, the above 
approach tends to serve as an ideological function where the focus diverts at- 
tention from the “barrel” (Doig 1984), which include practices and other issues 
associated with the organization itself. This strengthens the contention that in- 
dividual explanations, although often associated with computer crime, is how- 
ever, limited in explaining the underlying causes of such acts. In this context, 
Croall (2001) further advocates: 


“Individual motivations must be located in the wider context of the or- 
ganizations in which the offending takes place and the cultural values 
that encourage or discourage offending” [Pg 84]. 


In the light of this, traditional criminology studies that focus on crimi- 
nal motivations of individuals now have been generally dismissed as superfi- 
cial and over-generalized by most researchers (for example, see Braithwaite 
1984; Nilken, 1997). Slapper and Tombs (1999), for example argue that the so 
called “general theories” do not explain the criminal values or how crimes orig- 
inate and may therefore explain the perpetuation of crime but not its origin. 
Researchers like Clarke (1997) believed two main ‘mistakes’ made by tradi- 
tional criminology. Firstly, criminologists assumed that understanding the 
crime is the same as understanding the criminal (Gottfredson and Hirschi 


203 


1990). Secondly, the misconception relates to the aspect of crime control ver- 
sus dealing with the criminal (Wilkins, 1990) that asserts that the solution of 
reducing crime implies a focus on the criminal. Within studies, these types of 
control to combat computer related criminal acts, can be seen where researchers 
have used the general deterrence theory from criminology to predict the use of 
deterrent security countermeasures (for information security polices and guide- 
lines, security awareness programmes and preventative security software). 
These deterrent measures are applied with the idea that they will ‘lower’ abuse 
of information systems by convincing potential offenders (employees) that 
there is too high a certainty of getting caught and that punishment can be se- 
vere (Straub and Welke ,1998). Information security researchers have relied 
on deterrence theory, which although useful, has been recently criticized for its 
limitations (see recent article presented by D’Arcy and Hovav 2004 at Tenth 
Americas Conference on Information Systems). Researchers are consistent to 
claim: 


“Deterrent efforts correspond to certainty of sanctions because the 
amount of such efforts directly affects the probability that IS abuser will 
be caught” [Kankanhalli et al. 2003, pg 141]. 


This again is dependant upon the working environment of the organiza- 
tion. Therefore, an employees’ perceptions of threats imposed by ‘deterrence 
security mechanisms’ may not be directly proportional to the actual level of 
controls and safeguards implemented within an organization (D’Arcy and 
Hovav 2004). Consequently, researchers argue that it is the perceptions of sanc- 
tions themselves that lead to deterrence (Tittle, 1980; Straub,1990; Kankan- 
halli et al. 2003). Researchers have also pointed out the need for such studies 
to take into account the impact of individual characteristics such as gender and 
age (D’Arcy and Hovav 2004). Overall, the general theory of deterrence from 
the studies of criminology, although it provides a sound theoretical justification 
for the use of deterrent countermeasures as a means to limit acts of computer 
related crimes, it nevertheless provides a partial viewpoint to understanding the 
complex nature of such illicit acts. 

Differing in its focus from most criminology studies is a relatively new 
school of thought, Situational Crime Prevention (SCP), where the emphasis is 
more on the criminal settings, rather than the criminal (Clarke, 1997). Thus, 
rather than detecting or sanctioning offenders, the starting point of SCP is to cir- 
cumvent the occurrence of generic crimes and to reduce criminal tendencies 
through enhancement of society, like better housing or education. Little atten- 
tion was given to this new school of thought by criminologists and policy- 
makers until Clarke’s (ibid) seminal work. Similarly, Croall (2001) suggests 


204 


that most of the earlier theories that focus on individual choices to commit 
crime tend to exclude white-collar offenders, and are therefore considered in- 
appropriate. This is important to note since computer crime, as argued by var- 
ious researchers is a form of white-collar crime (for different viewpoints, see 
Perrolle, 1987; Johnson 1994; Maner, 1996; Hollinger, 1997). Hence, it be- 
comes clear that computer crime is complex in nature and encompasses dif- 
ferent types of acts. 

To sum up, the complexity associated with computer crime within or- 
ganisations can be fully understood when personality traits are seen in the con- 
text of the working environment, which is a pre-requisite for participation in 
such offences (also see Mars 1982; Dhillon and Backhouse 1996; Kesar and 
Rogerson 1998; Audit Commission 1998). This is because reports and survey 
indicate that a failure in basic controls is still a problem. As noted, this mani- 
fests itself as the failure of some organisations to implement even the most 
basic controls, thereby leaving information systems vulnerable. Consequently, 
creating those working environment, which in turn represent ‘suitable oppor- 
tunities’ for the likelihood of computer crime emphasises the significance of 
examining wider organisational and structural issues. This is particularly true 
for those kind of crime where employees choose to commit, therefore, is de- 
pendent on the range of ‘suitable opportunities’ provided by the different so- 
cial and cultural settings within organizations (for example, see Audit 
Commission ,2001; Croall, 2001; Kesar,2005). As evidenced by Forester and 
Morrison (1994) who advocate: 


“Experts on computer fraud attest that opportunity more than anything 
else seems to generate this kind of behaviour [pg 41]”. 


As mentioned earlier, whilst it is difficult to estimate exactly what pro- 
portion of crime originates from within or outside the organization, it is clear 
one of the main concerns for occurrence of computer crime is the ‘suitable op- 
portunities’ available to employees, where organizations have failed to take 
the necessary precautions (see, for example, Vitell and Davies 1990; Bologna 
1993; BloomBecker, 1984; Forester and Morrison 1994; Hitchings, 1995; 
Rawnsley,1995; Audit Commission,2001; CSI/FBI 2004, 2005). In his early 
paper, BloomBecker (1984), for examples points out the ‘land of opportunity’ 
as one of the eight types of motivational factors. BloomBecker explains the 
consequences of this motivational factor where employees exploit security 
loopholes discovered during the course of their daily work activities. Regard- 
less of the underlying theories, it is clear the computer crime requires man- 
agement process that thinks beyond technical controls. Most researchers are 
consistent in their contention that lack of supervision, absence of safeguards, 


205 


and diffusion of responsibilities can indeed create ‘suitable opportunities’ con- 
ducive to computer crime. 


2.2 Uniqueness of Computer Crime 


Various researchers have raised the question of whether computer crime invo- 
Ives unique kinds of illicit behavior (for example, see Parker 1976; Johnson 
1994; Maner 1996). As mentioned above, some researchers believe that com- 
puter related crime is simply another form of what researchers earlier termed 
‘white-collar crime’-older forms of deviance and crime ‘retooled’ for the com- 
puter age (see Hollinger 1997). Regardless of new types of computer crime, 
many researchers argue that computer crime can be addressed with the exi- 
sting laws as computer crime is just a manifestation of old type of crime-white 
collar crime. It is clear that computer crime have a wide diversity of types and 
characteristics involving different computer roles, different kinds of fraud, sa- 
botage, vandalism, theft and phishing and so on. 


Many countries have either updated their existing laws associated with 
computer crime or passed new laws to combat with such threats. However, 
laws in general have been criticized for not been able to deal with the conti- 
nual growing concerns of new crimes such as phishing and identify theft. This 
is becasue the uniqueness of computer crime are previously unknown abuses 
that do not fit well into traditional criminal statutes. Essentially many ack- 
nowledge the unique nature of such activities. Johnson (1994), for example, be- 
lieves computers are so different from other technologies that they are “more 
likely to change the fundamental character of everything that we do”. Howe- 
ver, Johnson believes that problems related to IT are similar to prior issues, 
but with a ‘new twist’. Similarly, Perrolle (1987) expresses a parallel viewpo- 
int where she sees no distinction between what Sutherland had defined as 
white-collar crime and computer related crimes that occurs due to rapid emer- 
gence of IT. She uses the term ‘computerized white-collar crime’ in her book 
to refer to computer crime because she believes the only difference is that “the 
paper trail used by auditors to track down many white collar crimes has turned 
into an electronic trail...” (also see the viewpoint of Maner 1996). In light of 
this, the prevalence of computer crime has resulted in many debates regarding 
its uniqueness; but irrespective of whether it is classified as ‘old’ or ‘new’, it 
certainly is clear that management of computer crime need to address both 
technical and social issues (see, for example, Johnson and Nissenbaum 1995; 
Kling 1996; Spinello 1997; Clarke 1999; CSI/FBI 205; Kesar 2005). The po- 
tential impact of computer crime is therefore enormous. 


206 


2.3 Increasing Problems of Computer Crime within Organizations 


It is clear from various reports and surveys that threats from computer crimes 
and other information security breaches continue unabated; the financial toll is 
mounting and threats from originating from both outside and within organiza- 
tions continue to pose threats to business’ assets. This problem is further ex- 
acerbated, as there is an “increased recognition that information has value” 
(See CSI/FBI 2005). The extent of the damage that can be causes by such il- 
licit acts within organizations can be gauged from well know reports and sur- 
veys around the world. Although, reports such as Audit Commission and 
CSI/FBI provide a good starting point for documenting the nature and extent 
of computer crime within organizations in recent years, these only represent the 
tip of the potentially large problem. Some examples illustrate the extent of the 
problem. 

In July 2006, for example, National news agencies reported that two 
banks in Singapore have been the targets of the latest phishing scam. [1] Emails 
purportedly from Citibank and OCBC Bank were sent to their customers ask- 
ing the recipients for their personal data in order to verify their accounts, oth- 
erwise access to their accounts would be denied. After action taken by the bank, 
the fraudulent sites were closed and this matter was brought to the attention of 
the Monetary Authority of Singapore (MAS) and the Singapore Computer 
Emergency Response Team (SCERT) for further investigations and action. 
Ironically, even the MAS itself was a target of phishing within the same month. 
Other studies and reports also highlight the increasing problem of computer 
crime. For example, the findings of CSI/FBI 2005 Survey on computer crime 
highlighted: 


e Security software and hardware failed to prevent more than 5,000 incidents 
among those surveyed. Eighty-seven percent of respondents said they expe- 
rienced some type of incident. 

e Use of antivirus, antispyware, firewalls and antispam software is almost uni- 
versal among those who responded. However, the software apparently did 
little to stop malicious insiders. 

e Of those admitting they did not alert the authorities after a security breach, 
about 700 respondents said there was no criminal activity, almost an identi- 
cal number indicated the incident was too small to report and 329 (23%) 
thought law enforcement would not be interested. 


In the backdrop of the reports mentioned above, it is clear that the grow- 
ing problem of computer crime is further compounded by the fact that such 
cases are not restricted to one particular country. Hence, computer crime could 
have a greater impact than conventional crime. Of the intrusion attempts that 


207 


appeared to have come from outside the organizations, the most common coun- 
tries of origin appeared to be United States, China, Nigeria, Korea, Germany, 
Russia, and Romania.’ 


3. China and the Internet 


Recently, China has caught attention of several academic and practitioners. 
Not only China is one of the nation, which constitutes majority of the world’s 
population but its government has made IT and the Internet a priority to play 
pivotal role in their internal developments and their relations with the rest of 
the world (Press et al, 2003). This is best illustrated in the recent (September 
7, 2007), China Internet Network Information Center (CNNIS) Survey. [2] 
Based on this first macro development of the Internet in rural areas and a com- 
prehensive survey report, the key issues pointed were: 


e@ The current scale of China’s rural areas more than 37 million Internet users, 
and this group concentrated on the use of the Internet in the entertainment 
function, the proportion of Internet users and towns flat- as of June 2007, the 
scale of rural Internet users reached 37.41 million people, 737 million rural 
residents, the Internet penetration rate is only 5.1%; 

e Compared to the scale of China’s urbanization reached 125 million users, the 
Internet penetration rate has reached 21. 6% of the urban and rural “digital di- 
vide” obvious. Compared with the end of 2006, the “digital divide” is gradu- 
ally narrowing. The scale of Internet users in rural areas in 2006 was 23.1 
million; the Internet penetration rate is 3.1%. 

è Inrural and urban Internet users’ considerable extent, rural Internet users use 
online music, online games, video network for the respective proportions of 
68.9%, 47.1% and 60.9%, 68.4 for urban users %, 47.0% and 61.2%. 

e With the National Rural Construction of promoting information, the Internet 
has become a new rural important part of the building. 37 million rural Inter- 
net users have not to be underestimated consumer demand, and the rural areas 
that will become one of the Internet has enormous potential market, have 
emerged in the true sense of business. 


In general, the process for the Chinese government to manage the In- 
ternet has become complex because governmental organizations acceptation of 
being involved in the economic leverage has increased. Having said that, the 
Ministry of Information Industry (MII) is the predominant decision-maker with 
regard to the Internet. Several studies reflect how China’s economic reforms, 
both capital and openness to the Intent began around the 1980s and conse- 
quently they discuss its impact of diffusion of the Internet on economic and po- 
litical conditions. In addition, studies also illustrate issues associated with the 
increase of competition among government owned organizations in China 
(Press et al, 2003). 


208 


In addition, statistics reflect the increase of IT use within China. For ex- 
ample, the number of computers sold in China last year reached 22 million 
(2nd after U.S.) and the number of broadband users has reached 31.10 million, 
an increase of 13.70 million over the past 12 months (an increase of 78.7% 
over a 6 month period). Therefore, there is no surprise that China's online shop- 
ping market was worth 4.2 billion Yuan (US$507.5 million) last year and is 
expected to double this year. [3] As a result, global Internet giants such as eBay 
Inc., Yahoo Inc. and Amazon.com Inc. have all taken the Chinese imitative to 
pay a combined US$375 million to acquire domestic start-ups in China. [4] 
Indeed, there are many examples that reflect China to be a major global eco- 
nomic force and will grow dramatically in the foreseeable future. Given that the 
Internet in China has been widely adopted in the academic sector and is being 
rolled out in the public and business sectors as well, as mentioned earlier, such 
issues have caught the attention of both practitioners and academics. With the 
increasing use of IT in China, there is no doubt that the government will face 
many challenges that require to take the lead in IT hardware and software ven- 
dors; Internet service providers and the entire information industry; the inter- 
est and attention of the rural space of the next great growth market, through 
policy, technical and commercial multi-drive, to gradually narrow the digital 
divide. Being a cash-oriented economy is also a main challenge. Perhaps one 
the biggest challenges the Chinese government will face is the management of 
computer related crime. Having said that, it is interesting to note that there are 
very few studies and reports that actually discuss the challenges in the context 
of management of computer related crime in China. The existing limited stud- 
ies mainly focus on the ‘narrow and traditional’ viewpoint that management of 
computer crime can be dealt with technical controls alone. This narrow per- 
spective of neglecting social aspects of IT when managing such crimes can in- 
deed create more challenges for China in the future. 


Management of Computer Crime: Challenges for China 


The extent of computer crime can be gauged from some statistics mentioned 
above. Indeed the scope of the problem of computer crime is not ony vast , but 
particularily every country including China is affected by it. For example, the 
CSI/FBI Survey (2005) also pointed out that: 


e Of the intrusion attempts coming from outside the organizations, the most 
common countries of origin included the United States and China. 


e Organizations with revenue greater than $5 million were more than twice as 
likely to identify China as the source of the intrusion attempt. 


In the above survey, thirty-six countries appeared to be the common so- 


209 


urce of intrusion, where two of the countries, USA and China seem to be the 
source of over 50% of the intrusions. Evidence of an intrusion in other coun- 
tries like China may not be conclusive since computer hackers often use pro- 
xies and Trojanized computers in other countries to mask their identity and 
make detection difficult (CSI/FBI 2005). Reports have also shown that orga- 
nizations with higher revenue (greater than $5 million) were more than twice 
as likely to identify China as the source of the intrusion attempt. A survey car- 
ried out in 2003 by the Minsitry of Public Security in China stated that ‘A 
record high number of China's computers have been hit by viruses”. In other 
words, about 85 percent of computers in China were affected by viruses in 
2003. This is 1.5 percentage points higher than 2002 and 25.5 percentage po- 
ints higher than 2001, according to the survey. Lack of awareness and ineffi- 
cient defensive tools were cited as the main reasons. [5] More recently, the 
Ministry of Defence has been accused of hacking where computer networks 
have been repeatedly penetrated to access sensitive military information. [6] 
The Chinese government has responded to such speculation that its military 
was trying to penetrate US computer networks, saying hacking was against 
Chinese law. 

China, like other parts of the world, has faced computer related crimes 
involving the Internet for quite some time. In fact, computer realted crime in 
China was first reported in July 1986 in South China’s Shenzhen where a com- 
puter thief at a local bank embezzled more than 50,500 RMB (US $6,020) by 
modifying software programs. [7] In 1987, an accountant at a local branch of 
the China Agriculture Bank in Southwest China’s Chengdu was found to have 
embezzled about 1 million RMB (US $120,000) by forging invoices in the 
computerized account system. [8] With the spread of network, computer rela- 
ted crime began to increase in number. For example, in April 1998, a post-se- 
condary graduate hacker stole insider stock information from a Shanghai 
brokerage house’s system to help his friend who had lost money in stocks.[9] 
In late July 1998, the Intranet of a paging service center in Balian in northe- 
astern China was paralyzed for an hour. Later, police found that the system had 
been modified by a “time bomb” that was planted in the network. [10] In Ja- 
nuary 1999, fifty-one people were arrested on charges of hacking into a Chi- 
nese railway’s computer system The scheme involved buying cheap tickets 
and reselling them after breaking into the reservation computer, 34 upgrading 
them to more expensive express trains. The scheme involved over 8,000 tickets 
worth US $54,000. [11] 

Seriousness of the increasing problem of computer related crime in 
China indeed can not be underestimated. More recently, reports highlight that 
Chinese hackers have also attacked government departments in Britain.[12] 


210 


Other articles published, warn that “cybercrime in China has reached such a se- 
rious level that it has damaged the normal economic order and threatens na- 
tional security.” [13] The “People’s Daily”, the CCP’s official voice, hacker 
crime in China is increasing at an annual rate of 30%. [14] In 1999 alone, there 
were a total of 180 cases of computer crime handled by the police. [15]. An 
official with the Ministry of Public Security (MPS), only 15% of all hacker at- 
tempts are accounted for, either because little actual physical harm was done 
or the victim wanted to minimize damage to their image. [16] It is important 
to bear in mind that these figures only represent detected and reported cases, 
so they are only the tip of the iceberg (for example, see Parker and Nycum 
1984; Audit Commission 2005; CSI/FBI Surveys 2005, 2006). This is attribu- 
ted to the reluctance of organizations fearing unnecessary media publicity, in 
particular, of those crimes committed by employees (for example, see Audit 
Commission, 2005; CSI/FBI 2006). Consequently, any attempts to estimate 
the actual costs of such offences are speculative. Having said that, the volume 
of reported cases indicates that the potential impact of computer related crime 
is large. Hence, countries like China where use of Internet continously incre- 
asing, will be of no exception to face challenges of managing the adverse con- 
sequecnes of IT like computer crime. This is because the sposhication of IT 
brings forth new kinds of illict acts everyday. Hence, it is important that China 
realizes management of computer crime requires an equal consideration of 
technical and social issues. Given that the number of Internet users has been 
more than doubling every year with the users growing by more than 400% in 
2006, one of the biggest challenges that the Central Government has faced in 
making Internet policy is the number of different agencies that have a stake or 
an interest in the Internet. Without one decision-maker it is more difficult to 
come to a consistent set of policies that can be externalized as rules or laws. 
Furthermore, some of existing policies have been crticized for their irregula- 
rities. [17] The government of China has begun realise the significance of ad- 
dressing the issues linked with management of computer crime. As a result, 
task force to manage computer realted issues and security policies are gaining 
importance in China. In February of 1999, for example, China established the 
State Information Security Appraisal and Identification Management Com- 
mittee to coordinate the country’s anti-cybercrime campaign. The main role 
for this committee is to ensure confidential government and commercial in- 
formation on the Internet is secure from illegal Internet users, and defining the 
rights and responsibilities of ISP providers and Internet users. [18] Although, 
China is taking the initative to deal with such illicit acts, the focus is mainly on 
technical controls. 


211 


3.2 Management of Computer Crime: Lessons to be Learnt 


Discussion so far clearly highlights the seriousness of increasing problem of 
computer related crime in China. The Chinese government has begun to ad- 
dress this problem by developing committees, policies and updating existing 
legislations and regulations. However, the measures seem to be more directed 
towards blocking the internet site usages. China's government has chosen two 
methods to deal with this threat. One is to allow a limited number of INs and 
to require all INs to use Ministry of Posts and Telecommunications (MPT)'s in- 
ternational gateway facilities, so that they can be more easily monitored and ac- 
counted for. The other approach is to block certain Western Web sites. As China 
becomes more familiar with advanced technologies, it may deploy more effi- 
cient means such as content-filtering and user-selected blocking to allow some 
users full access, but to deny such access to others. [19]. No doubt such meth- 
ods are important to manage such illicit act. However, as argued above, it is 
equally important that both technical and social issues be taken into account. 
This is because technical solutions are equally important; however, information 
security in general is much broader in perspective than “Computer Security”. 
It is for these reasons that information security researchers advocate the need 
to view information technology from a socio-technical perspective. This recog- 
nition of social aspects of IT has led to the opening up of “behavioural aspects 
of information systems” (for example, see Baskerville,1992; Siponen, 2001, 
2001a; Dhillon and Backhouse 2001; Stanton et al. 2005; Kesar,2005). This is 
significant as organisational structures and environment have changed from a 
context in which technical solutions alone were appropriate (for a strict mili- 
tary organizations) to a context in which technical solutions alone prove to be 
inadequate. Reports demonstrating the increasing amount of losses organiza- 
tions incur from computer crime support this argument that relying on techni- 
cal solutions to minimize or reduce such acts are alone not enough. 

In the context of China and Internet use, emphasis of issues mentioned 
above is lacking in studies. For example in The China Quarterly, one of the 
leading scholarly journal in its field that covers aspects of contemporary China 
including Taiwan, the author did not see any article that discussed the impor- 
tance of both technical and social issues in the context of management com- 
puter crime. Most studies and reports show how Chinese government from the 
accusations and promised to cooperate with international efforts to combat 
computer crime. Hence, it is not surprising that China's content controls have 
been criticized by some Westerners, although they have been welcomed by 
many domestic players, especially local Internet Service Providers (ISPs). 

Principles rooted in understanding the solution to poverty presented by 


212 


Novak [20], a philosopher, throws considerable light on understanding the dis- 
cussions so far. Novak believes that when we began to analyze crime, we were 
asking the wrong questions. Hence, he argues that such questions have been 
misdirecting the thoughts on how to manage crime in general. He explains this 
further by stating: 


“People often ask what causes crime. But they’re asking the wrong ques- 
tion. Let me give a parallel from economics. If you ask, “What are the 
causes of poverty?” you are asking really a useless question. Suppose 
you discover the answer? Terrific! Now you known how to make 
poverty... The interesting questions, the fruitful question, is quite dif- 
ferent. And it didn’t occur to anybody to ask this other question until 
late in the eighteenth century: “what are the causes of the wealth of na- 
tions?” If you can figure that out, then you can begin to imagine a time 
of universal prosperity, in which there will be no more poverty and in 
which a firm, general base can be put under the feet of every man and 
women on earth. That was the dream of Adam Smith. He looked for the 
systematic, social causes that would bring about the creation of new 
wealth, not to take existing wealth from others and redistribute it”. 


Against the backdrop of the comment above, it is important to ask the 
“fruitful question” about managing computer crime in China. No doubt, one of 
the challenges for Chinese government is balancing the complexity of the so- 
ciety to avoid destabilization. This perhaps explains why Internet policy in 
China is know to move through a series of expansions and contractions, which 
often is referred to as “two steps forward, one step back”. 


4. Conclusion 


The inherent complexity of emerging IT compounds the problem of computer 
crime. As seen, sophisticated IT poses even more concerns to organizations. 
Given that China, like other countries face the increasing problem of compu- 
ter crime, it is prudent that Chinese government understand that managing such 
computer crimes cannot alone be dealt with technical controls such as fire- 
walls. Rather China should learn lessons from other countries and focus on ad- 
dressing both technical and social issues when managing such illicit acts. With 
this in mind, the main contribution of this paper is to enhance awareness about 
management of computer crime in China. It sheds light on the underlying re- 
asons of computer crime and departs from the ‘narrow and technical’ viewpo- 
int that fails to recognize the importance of ‘social’ aspects in the management 
of computer crime. One of the challenges that China face in sustaining the cur- 
rent growth momentum is management of computer crime, this paper argues 
that lack of understanding those issues that can lead to the absence or poorly 


213 


implemented safeguards, which are important to explore in dealing with ma- 
nagement of computer crime. This is because a flawed understanding of the 
management of computer crime offers little scope for developing effective so- 
lutions. 


Notes 


1. Wong Mun Wai, Two Banks the Targets of Latest Phishing Scam (Channel NewsAsia, 11 
July 2006), available at: http://www.channelnewsasia.com/stories/singaporelocalnews/ 
view/218454/1/.html 


2. Ses: http://ennic.cn/html/Dir/2007/08/03/4748.htm 


3. See China Online Shopping Market Survey Report, May 2006, available on 
http://www.cnnic.cn/uploadfiles/pdf/2006/5/26/141308.pdf and aslo see http://english.pe- 
opledaily.com.cn/english/200104/10/eng20010410_67315.html 


4. China Business Weekly, see http://www.chinadaily.com.cn/ 

5. See http://news.zdnet.co.uk/security/0,1000000189,39117252,00.htm 

6. For example, see http://www.guardian.co.uk/china/story/0,,1689181,00.html 
7. China: Cyberspace Crimes in the Rise,” China Daily, 20 October 1998. 

8. ibid. 

9. Xiao Yu, “Computer Hacking Rampant,” China Daily, 21 December, 1998. 
10. “China: Cyberspace Crimes in the Rise,” China Daily, 20 October, 1998. 
11. “China Nabs 51 in Computer Break in,” AP Online, 29 January 1999. 


12. “Computer Network Poses New Threat to Security,” Xinhua News Agency, 11 January 
1999. Aslo see See Also see http://www. information-age.com/briefing_room/security_con- 
tinuity/insight/insight2/UK_government_hit_by_chinese_hackers 


13. See http://software.silicon.com/malware/0,3800003100,39158777,00.htm; also see 
Computer Network Poses New Threat to Security, Xinhua News Agency, 11 January 1999. 
14. The People’s Daily, 12 October 1998. 


15. See “Roundup — Digital Crime needed to be Addressed”, FT Asia Intelligence Wire, 15 
February 1999. 


16. See “Computer-related Crimes Surging in China,” Xinhua News Agency, 6 January 
1999. 


17. Marty Williams, “China says foreign Internet investment unwelcome” CNET, 14 Sep- 
tember, 1999 


http://hongkong] .cnet.com/briefs/news/asia/19990914bf.html. 

18. See “China Forms Information Security Oversight Committee,” FT Asia Intelligence 
Wire, 15 February 1999. 

19. See http://www.usatoday.com/tech/news/2002/01/18/china-internet.htm. Also see 
http://www.opennetinitiative.net/studies/china/ONI_China_Country_Study.pdf 

20. Speech by Oliver Letwin MP, Shadow Home Secretary to the Centre for Policy Stud- 
ies, “Beyond the causes of crime”, 8 January 2002-see http://website.lineone.net/~re- 
newing/olet_cps.htm. 


214 


References 


10. 


ll. 


12. 
13. 
14. 


15. 


16. 


20. 


21. 
22. 


23. 


Audit Commission (2001). Your business@ risk: an update of IT abuse 2001, London, 
Audit Commission Publications, HMSO. 

Audit Commission (2005). update of IT abuse 2001, London, Audit Commission Pu- 
blications, HMSO. 

Backhouse, J., and Dhillon, G. (1995). Managing computer crime: a research outlook. 
Computers & Security. Volume 14 (Issue 7): 645-651. 

Baskerville, R. (1992). The development of duality information systems security. Jo- 
umal of Management Systems Volume 4 (Issue 1): 1-12. 

Box, S. (1983). Power, crime and mystification. London, Tavistock. 

BloomBecker, J. (1986). Computer crime law reporter. Los Angeles, National Cen- 
ter for Computer Crime Data. 

Bologna, J. (1993). Handbook on Corporate Fraud. Boston, Butterworth-Heinemann. 
Braithwaite, J. (1984). Corporate crime in the pharmaceutical industry. London, Ro- 
utledge & Kegan Paul. ; 

Clarke, R., Ed. (1997). Situational crime prevention: successful case studies. Albany, 
NY, Harrow and Heston. 

Croall, H. (2001). Understanding white-collar crime. Buckingham, Open University 
Press. 

CSI/FBI (2005). Computer Security Issues and Trends. San Francisco, CSI. 
CSI/FBI (2006). Computer Security Issues and Trends. San Francisco, CSI. 

D'Arcy and Hovav (2004). The role of individual characteristics on the effectiveness 


of IS security countermeasures. Tenth Americas Conference on Information Systems 
(AMCIS) 2004, New York: 1-8. 


Dhillon, G. and J. Backhouse (1996). Risks in the use of information technology wi- 
thin organizations. International Journal of Information Management Volume 16 
(Issue 1): 65-74. 

Dhillon, G., and Backhouse, J. (2001). Current directions in IS security research: to- 
ward socio-organizational perspectives. Information Systems Journal. Volume 11 
(Issue 2): 127-153. 

Doig, A. (1984). Corruption and misconduct in contemporary British politics. Har- 
mondsworth, Penguin Books. 

Forester, T. and P. Morrison (1994). Computer ethics: cautionary tales and ethical di- 
lemmas in computing. Cambridge, The MIT Press. 

Gottfredson, M. R., and Hirschi, T. (1990). A general theory of crime. Stanford, CA, 
Stanford University Press. 

Hollinger, R. C., Ed. (1997). Crime, deviance and the computer. Dartmouth, Dart- 
mouth Publishing Company. 

Johnson, D. G. (1994). Computer ethics. Englewood Cliffs, Prentice-Hall. 


Johnson, D. G. and H. Nissenbaum, Eds. (1995). Computers, ethics & social values. 


New Jersey, Prentice-Hall. 


Kankanhalli, A., Teo, H.H., Tang, B.C., and Wei, K.K. (2003). An integrated study of 
information systems security effectiveness. International Journal of Information Ma- 
nagement Volume 23 (Issue 2): 139- 154. 


215 


24. 


25. 


26. 


2T: 


28. 


29. 


30. 


31. 


32. 
33. 


34. 


35. 


36. 


37. 


38. 


39. 
40. 


41. 


42. 


43. 


44. 


45. 


Kesar S and Rogerson S (1998). Managing Computer Misuse Social Science Com- 
puter Review (SCCORE), Special Issue: ISTAS '97: Computers and Society at a Time 
of Sweeping Change, a Sage Referred Journal, Volume 16, (Issue 3): 240-251. 
Kesar, S. (2005). Interpreting computer fraud committed by employees within orga- 
nizations. PhD Thesis (Information Systems). Salford, University of Salford, UK. 
Kling, R., Ed. (1996). Computerisation and controversy: values and social choices. 
San Diego, Academic Press. 

Maner, W. (1996). Unique ethical problems in information technology. Science and 
Engineering Ethics Volume 2(Issue 2): 137-154. 

Mars, G. (1982). Cheats at work, an anthropology of workplace crime. London, Geo- 
rge Allen & Unwin. 

Nelken, D. (1997). White-collar crime. The Oxford Handbook of criminology. M. 
Maguire, R. Morgan and R. Reiner. Oxford, Clarendon Press. 

Parker, D. B. and S. H. Nycum (1984). Computer Crime. Communications of the 
ACM . Volume 27(Issue 4): 313-315. 

Parker, D. (1980). Computer-related white-collar crime. White-collar crime: theory 
and research. G. Geis and Ezra. Eds. Beverly Hills, CA, Sage Publications: 199-220. 
Parker, D. B. (1983). Fighting computer crime. New York, Charles Scribner's Sons. 
Perrolle, J. A. (1987). Computer and social change: information property, and power, 
Waddsworth. 

Press, L., Foster, W., Wolcott, W and McHenry, W. (2003). The Internet in India and 
China, Information Technologies and International Development, MIT Press, Vo- 
lume 1, (Issue 1): 41-60. 

Punch, M. (1996). Dirty business: exploring corporate misconduct. London, Sage Pu- 
blications. 

Rawnsley, J. (1995). Going for broke: Nick Leeson and the collapse of Barings bank, 
Harper Collins. 

Schrager, L. S., and Short, J. F. (1977). Towards sociology of organisational crime. 
Social problems. 

Slapper, G. and Tombs, S. (1999). Corporate Crime. London, Addison Wesley Long- 
man. 

(Issue 4): 407-419. 

Siponen, M. T. (2001). An analysis of the recent IS security development approaches: 
descriptive and prescriptive implications. Information security management: global 
challenges in the new millennium. G. Dhillon. Ed. Hershey, Idea Group Publishing: 
125-134. 

Siponen, M. T. (2001a). On the role of human morality in information systems secu- 
rity. Information resources Management Journal. Volume 14 (Issue 4): 15-23. 
Spinello, R. A. (1997). Case studies in information and computer ethics. Upper Sad- 
dle River, New Jersey, Prentice-Hall. 

Stanton, J. M., Stam, R.K., Mastrangelo, P., and Jolton, J. (2005). Analysis of end 
user security behaviors. Computers & Security. Volume 24 (Issue 2): 124-133. 
Straub, D. W. and W. D. Nance (1990). Discovering and discipling computer abuse 
in organizations: a field study. MIS Quarterly. Volume 14(Issue 1): 45-50. 

Straub, D. W. (1990). Effective IS security: an empirical study. Information System 
Research. Volume 1 (Issue 2): 255-277. 


216 


46. 


47. 
48. 


49. 


50. 


Straub, D. W., and Welke, R. J. (1998). Coping with systems risks: security planning 
models for management decision making. MIS Quarterly Volume 22 (Issue 4): 441- 
464. 

Sutherland, E. H. (1949). White-collar crime. New York, Holt, Rinehart & Winston. 


Tittle, C. R. (1980). Sanctions and social deviance: the question of deterrence. New 
York, Praeger. 

Vitell, S. J. and D. L. Davies (1990). Ethical beliefs of MIS professional: the frequ- 
ency and opportunity for unethical behaviour. Journal of Business Ethics Volume 9 
(Issue 1):63-70. 

Wilkins, L. (1990). Retrospect and prospect: fashions in criminal justice theory and 
practice. Policy and theory in criminal justice. D. Gottfredson and R. Clarke. Eds. 
Aldershot, Avebury: 14-26. 


217 


An Overview of Information Society Law in 
the European Union 


Paul Przemyslaw Polanski 
Faculty of Law and Administration 
Warsaw University, ul. Krakowskie Przedmiescie 26/28, Warsaw, Poland 


Abstract. The EU has developed a comprehensive framework 
for Information Society law that spans various areas ranging from a lib- 
eral regulation of e-commerce to a stringent legislation in the area of 
copyrights in the Information Society. This article discusses the evolu- 
tion of the EU approach to the regulation of e-commerce in the Single 
Market and demonstrates the most important aspects of the current reg- 
ulations relevant to this area. 


1. Introduction 


The knowledge based economy underlines the importance of services, which 
generate far more wealth than other economy sectors such as industrial pro- 
duction or farming. The term information society was introduced in 1960-ties 
in Japan to describe the phenomenon of transition of industrial societies into 
knowledge-based societies. The transition is to a great extent a result of the in- 
troduction of information technologies, such as computer programs and com- 
puter networks, which are capable of processing large amounts of data and 
generate powerful reports. 

Over the last 16 years, the European Union has developed a compre- 
hensive legal framework for Information Society (IS). It is an important de- 
velopment because international community has failed to devise a global 
framework for Internet governance. Despite the efforts of international organ- 
isations such as ICANN, UNCITRAL or WIPO, Internet users are still sub- 
jected to non-uniform rules. Taking into account the fact that Internet is global 
and its regulation fragmented, there is a great deal of legal uncertainty in a glo- 
bal cyberspace. 

The objective of this article is to present the evolution of information 
society law in the European Union with a special emphasis on the directive on 
electronic commerce, which remains a mini-constitution of the Internet-based 
trade in the Community. The first part of the paper will briefly present how the 
Community principles evolved in this area. The second part will attempt to un- 
derlie to most important changes introduced to the regulation of electronic 
commerce in the Internal Market. 


219 


2. Ashort sketch of the evolution of Information Society law 


Although the Internet existed already in the 1980-ies and the World Wide Web 
was introduced in the 1991, the mass interest in this technology sprung up only 
around year 1995 (Polanski (2007)). As a result, the European law enacted be- 
fore that year did not really take into account the changes resulting from the 
emergence of this revolutionary medium. This is especially visible with re- 
spect to the EC Treaty rules, which do not expressly regulate information so- 
ciety services. There is not even a separate policy provision in the Treaty, 
despite the strategic importance of the Lisbon Agenda, which underlines the si- 
gnificance of information technologies to the development of the European 
Union. Lack of explicit information society policy is partly compensated by the 
fact that one of the EU commissioners was vested with the task of directing In- 
formation Society and Media directorate. However, the competence concern- 
ing information society services is also within the scope of interest of the 
Internal Market commissioner and this approach signals an unclear attitude to- 
wards the legal strategy for Information Society. Although primary legislation 
provides only a very basic framework for the freedom of movement of goods, 
services and capital, it is nevertheless a starting point for defining a content of 
the subject matter. Furthermore, one cannot forget about the role of the Euro- 
pean Court of Justice, whose jurisprudence starts to directly affect the shape of 
the European IS law. However, the core body of IS rules was enacted in di- 
rectives, and to a much lesser degree, in other EU instruments. 


The first rules of importance to the information society were enacted in 
1991 in the directive 91/250/EEC on the legal protection of computer programs 
(OJ L 122/42 (17.5.1991)), which granted a very strong copyright protection 
of software to the rightholders. The question of fair use of computer programs 
for private use was not specifically addressed in the Directive. Furthermore, the 
rights of legitimate users concerning making up the back up copy or reverse en- 
gineering were further restricted. The protection of digital infrastructure was 
further strengthened with the introduction of the directive 96/9/EC on the pro- 
tection of databases that introduced a sui generic right next to the harmonised 
right over the selection and arrangement of database content rooted in copy- 
right regime (OJ L 77/20 (27.3.1996)). The sui generic right afforded a mo- 
nopolistic protection to non-original databases, which required a significant 
investment in their production. In a series of judgements starting from British 
Horseracing Board vs William Hill, the ECJ has severely curtailed the scope 
of sui generic right interpreting the requirement of substantial investment in the 
creation of data as excluding the money spent on the mere collection of data. 
More than the mere investment in the resources that make up the contents of 


220 


the database is necessary to obtain the protection. Both directives are examples 
of very serious approach to the protection of computer programs and databases 
in the interest of the rightholders, particularly producers of databases and soft- 
ware, thus severely limiting the rights of public. 


In the mid 1990-ties one can also observe the activity of the European 
institutions in the area of data and consumer protection. The directive 95/46/EC 
on data protection, introduced a framework for the processing of personal data, 
whether automated or not, which requires prior consent or knowledge of the 
data subject. In 1997, the European Communities developed far reaching 
measures concerning protection of consumers with respect to distant contracts, 
clearly visible in the directive 97/7/EC on the protection of consumers with 
respect to distant contracts (OJ L 144/19 (04.06.1997)). The directive intro- 
duced important rights to the consumers, including the right of withdrawal 
from a distant contract. 


In 1998 the directive on transparency (OJ L204/37 (21.07.1998)) was 
adopted, which enabled a prior control over the draft technical regulations and 
standards. The changes to this directive introduced, inter alia, the definition of 
information society services, which is the most fundamental construct to the 
law of the Information Society in Europe. As a result, governments which fail 
to submit draft regulations pertaining to information society services may not 
rely on ensuing acts during a judicial process. 


Between 1999 and 2001, the European Union adopted the most crucial 
directives pertaining to the Information Society. In 1999 the European Parlia- 
ment and the Council adopted the long awaited directive 1999/93/EC on elec- 
tronic signatures, which created a legal framework for contracts and other 
documents signed digitally (OJ L 13/12 (19.01.2000)). However, the most im- 
portant act so far was enacted in the new century. On 8t of June 2000 the di- 
rective 2000/31/EC on electronic commerce was passed (OJ L178/1 
(12.11.2000)), which establishes the basic principles for the information soci- 
ety services. Due to its importance, the following section will discuss it at 
length. In the same year, a detailed framework for electronic money was in- 
troduced (OJ L 275/39 (27.10.2000)). 


Concurrently with the drafting process of the directive on electronic 
commerce, EU decided to harmonize the rights of authors to the works pro- 
duced in the online world. One year after the adoption of the directive on e- 
commerce, the directive on copyright in the information society (OJ L 167/10 
(22.06.2001)) was enacted, which implemented and supplemented 1996 WIPO 
Treaties (WIPO (1996); WIPO (1996)). That year, the directive on electronic 
invoices (OJ L 15/24 (17.01.2002)) amended the directive on VAT, introduc- 
ing electronically signed or EDI-generated invoices to the European commu- 


221 


nity law. The directive 2002/38/EC (OJ L 128/41 (15.5.2002)) and 2006/58/EC 
(OJ L 174/5 (28.06.2006)) also amended the VI directive, introducing new 
rules on taxation of electronically supplied services. 


In 2002, two other important directives were adopted. The directive 
2002/65/EC on the distance marketing of consumer financial services was in- 
troduced to offer additional safeguards to consumer buying financial services 
online (OJ L271/16 (9.10.2002)). The directive is heavily based on the earlier 
consumer protection directives, but requires more information to be provided 
to the service recipients and extends the period for the right of withdrawal. On 
the other hand, the directive 2002/58 on privacy and electronic communications 
which formed a part of the telecommunications reform package, introduced 
important changes to the regulation of spam (OJ L201/37 (31.07.2002)). 


From 2003 onwards, one can see the emergence of European e-gov- 
ernment regulations starting from the directive 2003/98 the reuse of public sec- 
tor information (OJ L345/90 (31.12.2003)). The following year two other 
eGovernment directives were adopted, which permitted electronic procure- 
ment of goods and services (OJ L 134/1 (30.4.2004); OJ L 134/114 
(30.4.2004)). In particular, electronic auctions were permitted as distinct modes 
for managing procurement by public services. In 2004, another directive in the 
area of IP law was enacted, which aimed to strengthen the enforcement of in- 
tellectual property law in the EU (OJ L 159/16 (2.06.2004)). 


Last year, the directive 2006/123 on services (OJ L 376/36 (27.12.2006)) 
provided a horizontal regulation of services and forced administration to adopt 
an electronic single point of contact for entrepreneurs from other Member 
States. This directive supplements earlier directives, particularly the directive 
on electronic commerce, with respect to, inter alia, information requirements 
or authorisation schemes. One must also remember about the aforementioned 
directive on retention of telecommunication data, which extended the period of 
data retention generating a heated debate concerning the privacy of users. 


This short presentation of aquis communitaire in relation to Information 
Society is selective and does not enlist all of the regulations that are of impor- 
tance in this area. One must bear in mind that presented regulations usually 
supplement existing law, particularly in the area of consumer protection and ad- 
vertising. The following section will present some remarks on the most im- 
portant directive pertaining to information society, namely the directive on 
electronic commerce. 


222 


3. Information society services in the light of selected di- 
rectives 


Due to the diverging character of national legal systems, which cannot be over- 
come by member states alone, EU leaders decided to harmonize their legisla- 
tion concerning electronic commerce. The principle of subsidiarity permits this 
kind of action especially in cases such as Internet-based trade, where the action 
on a supra-state level is an obvious necessity. The harmonisation efforts should 
also be seen in the context of the provisions of the Treaty establishing European 
Community, particularly in the light of the freedom of movement of services 
and the freedom of movement of goods. Concerning the latter, one must keep 
in mind that member states may successfully block a free circulation of goods 
ordered over the Internet relying on exceptions listed in article 30 of the Treaty. 
As the DocMorris case (C-322/01) clearly demonstrates, the Internet sale of 
medicines available without prescription cannot be opposed by member states. 
However, national governments may decide that pharmaceuticals available on 
prescription cannot be sold using means of distance communication, relying on 
the exceptions enshrined in article 30 of the Treaty. 

Out of a great variety of harmonising directives briefly described in the 
section above, the directive on electronic commerce adopted in June 2000 re- 
mains the most important legal development concerning online business in the 
European Union. Adopted in the context of the Lisbon Agenda, it approximates 
national laws to the extent necessary to ensure the free movement of informa- 
tion society services a number of crucial areas concerning the take up and pur- 
suit of e-commerce activities such as information requirements, advertising 
and contracting rules , as well as norms concerning the liability of intermedi- 
aries. The horizontal character of the directive means that it applies to all areas 
of law such as private or criminal law. Furthermore, both Business-to- 
Business (B2B) as well as Business-to-Consumer (B2C) electronic commerce 
is regulated by this instrument. 

The Directive on electronic commerce uses a rather obscure term infor- 
mation society services which should embrace nearly all forms of online ac- 
tivities, including the online sale of goods and services, operation of search 
engines and portals or the services of hosting companies or Internet Service 
Providers. Directive 98/48/EC (OJ L217/18, 18.08.1998) has introduced the 
definition of such services. Accordingly, information society service is any 
service normally provided for remuneration, at a distance, by electronic means 
and at the individual request of a recipient of services. The parties cannot be 
simultaneously present, the service must be entirely sent and received using 
electronic equipment and the data must be transmitted at the individual request 


223 


of the user. As the Mediakabel case (C-89/04) proved, individual request of 
the user does not extend to television on demand where the signal is broad- 
casted rather than directed to individual users. Annex V of the directive further 
clarifies that electronic equipment does not embrace faxes and voice telephony 
services, therefore effectively equating information society services with In- 
ternet-mediated services. However, offline delivery of goods or services are 
not covered by the definition of information society services and hence not 
protected by the principles enshrined in the directive on electronic commerce. 


Establishment requirements 


One of the key features of the directive is the country of origin principle, which 
permits entrepreneurs to register their activity in one member state and conduct 
it in all EU member states (including EFTA states). Drawing on famous Cas- 
sis de Dijon case member states have to recognize mutual standards concern- 
ing the take up and conduct of electronic business. The country of origin 
principle has been also adopted in other acts of importance to information so- 
ciety such as the directive on electronic signatures and is applicable to crucial 
area of online financial services. The Internal Market principle is based on the 
assumption that one member state must control the conduct of business of an 
entrepreneur and other countries cannot oppose to its operation within their 
borders. The inclusion of this principle in article 3 of the directive was a great 
success of the European institutions, especially in the light of the failure to in- 
corporate this principle in the directive on services (OJ L 376/36 (27. 12.2006)). 
One should also mention that apart from mutual recognition of standards, mem- 
ber states were obliged by the directive on transparency to submit draft legis- 
lation concerning information society services to the Commission for 
assessment of conformity with the Internal Market principles. 


However, the government’s action is still possible. F irstly, member states 
might adversely affect the functioning of EU-wide electronic commerce by in- 
troducing barriers which do not fall within the so called coordinated field, 
which offers a standarization only in the area of the take up and pursuit of e- 
commerce activities. Areas, which do not fall within the coordinated field, em- 
brace the requirements relating to goods as such, their delivery or provision of 
non-electronic services. Secondly, certain areas are explicitly excluded from the 
scope of the Internal Market principle such as consumer protection, intellectual 
property or the freedom to specify the choice of law clause. It follows that 
member states might create barriers or additional regulations in the name of 
protecting those areas without offending the country of origin principle. 
Thirdly, governments might intervene even in areas covered by the coordi- 


224 


nated field albeit under certain conditions. Action must be taken against a spe- 
cific service provider and justified on the grounds of public order, security, 
health and consumers. Furthermore, a specific consultation procedure must be 
followed, unless the urgent case permits a unilateral action, which must be later 
on reported to the Commission. As the first report on the implementation of the 
directive has shown, the possibility of government intervention has been prac- 
tically unused (COM(2003) 702 final (21.11.2003), p.8-9). 


Another key feature of the directive is the principle permitting to start e- 
commerce activities without any authorisation or any other requirement hav- 
ing equivalent effect. The countries that had such requirements had to abandon 
them. However, authorisation is still required with respect to provision of serv- 
ices for which normally such procedure would have to be fulfilled. Further- 
more, there are countries such as Spain and Portugal, which added in their 
implementations of the directive specific provisions concerning registration 
requirements for information society service providers (COM(2003) 702 final 
(21.11.2003), p.7). In general, however, the take up of e-commerce activities 
has been freed from unnecessary hurdles to make it an attractive proposition 
to the peoples of the European Union. 


The directive 2006/123/EC on services has provided additional means 
of simplifying the take up of electronic business. Chapter II of the directive 
was devoted to the simplification of administrative procedures, which permits, 
for instance, non-original documents to be submitted to relevant authorities. 
Furthermore, member states should establish single points of contact through 
which an entrepreneur can complete procedures and formalities necessary, for 
example, to obtain relevant authorisations to commence his or her services. 
Article 8 (1) provides that “Member States shall ensure that all procedures and 
formalities relating to access to a service activity and to the exercise thereof 
may be easily completed, at a distance and by electronic means, through the 
relevant point of single contact and with the relevant competent authorities”. 
Consequently, soon information society service provider whishing to obtain a 
special authorisation will be able to use Internet for that purpose. The Com- 
mission was vested with a task of establishing common standards that would 
allow national information systems to communicate with one another to 
achieve these goals. 


3.2 Information requirements 
One of the consequences of the development of the idea of information soci- 


ety was a desire to promote transparency among entrepreneurs. EU policy- 
makers developed lengthy lists of information requirements, which must be 


225 





met by e-commerce participants. For instance, the directive on electronic com- 
merce requires information society service providers to provide general infor- 
mation concerning their activity (such as geographical address, email address, 
relevant entries in trade registers, the details concerning supervisory authority 
if any as well as VAT number). However, the report on e-commerce directive 
has made it clear that these requirements are hard to enforce in practice: “There 
_ seems to be a certain lack of awareness regarding these information require- 
ments amongst internet operators in the EU” (COM{(2003) 702 final 
(21.11.2003), p.9) Nevertheless, the directive on services adds additional in- 
formation requirements such as the existence of an after-sales guarantee, the 
professional liability insurance and guarantees, if any etc. 


Information requirements concern all parts of the operation of a busi- 
ness. The electronic commerce directive contains special provisions, which 
forced merchants to clearly identify their commercial communications, such as 
promotional offers, discounts etc. Furthermore, online merchants must provide 
numerous information prior to the conclusion of a contract with a client. These 
obligations are scattered around numerous directives, ranging from the direc- 
tive on electronic commerce, through consumer directives up to the directive 
on services. The sections below will outline these provisions in a greater level 
of detail. 


4. Electronic contracting 


4.1 Pre-contractual information and order confirmation 


The directive 97//7/EC on the protection of consumers in respect to distance 
contracts was the first important instrument to information society, which 
forced businesses to provide extensive pre-contractual information to natural 
persons acting outside of their trade, business or profession (consumers) prior 
to the conclusion of a contract using means of distance communication. In 
good time prior to the conclusion of the contract the consumer should be in- 
formed about the identity of the supplier, the characteristics of goods or serv- 
ices, the price including all taxes and delivery costs, information concerning the 
right of withdrawal, payment and delivery arrangements and other informa- 
tion, when appropriate (art. 4). This information should be communicated in a 
clear, comprehensive manner and appropriately to the means of distance com- 
munication in use (i.e. differently in case of e.g. email and telephone conver- 
sation). However, this does not mean that communication with a consumer can 
be reduced to the means of distance communication. The directive forced busi- 
nesses to provide confirmation of this information in writing or using durable 


226 


medium at the latest during the delivery of those goods or services. The sanc- 
tion for failure to fulfil this requirement is the extension of the period to exer- 
cise the right of withdrawal from seven days to three months. 


The directive 97/7/EC explicitly excluded financial services from its 
scope of application. The directive 2002/65/EC on the distance marketing of 
financial services to consumers filled in this gap and mirrored the provisions 
of the aforementioned directive with certain modifications. It contains a long 
list of pre-contractual information pertaining to the supplier: the financial serv- 
ice (the description of the service, the total price to be paid, relevant caution- 
ary notices, period of validity of the information etc), the distance contract (the 
existence of the right of withdrawal and practical information concerning its 
usage, the choice of law clause etc.), the redress (the existence of arbitrage sys- 
tem, guarantee system). As in the case of directive 97/7/EC the supplier should 
communicate the information as well as the standard terms and conditions on 
paper or on another durable medium. However, if the whole transaction was 
concluded online the supplier may deliver the aforementioned information im- 
mediately after the conclusion of the contract if the contract has been con- 
cluded at the consumer’s request using a means of distant communication. 
Another key difference in comparison to the 97/7/EC directive is a lack of ex- 
tension of the right of withdrawal in case a supplier fails to confirm prior in- 
formation on paper or using durable medium. 


The directive on electronic commerce enriched these pre-contractual ob- 
ligations with additional requirements. Information society service providers 
must inform consumers and businesses alike (the latter category may contract 
these obligations out) about the different technical steps that follow to con- 
clude a contract, available languages, availability and accessibility of the con- 
cluded contract in electronic form, the technical means for identifying and 
correcting input errors and subscribed codes of conduct. Furthermore, contract 
terms and standard terms and conditions must be made available to recipient 
of information society services even in contracts concluded through the ex- 
change of emails or equivalent individual communications (art. 10). 


What is however, of greater importance, is the obligation of the service 
provider to confirm the recipient’s order without delay and by electronic means. 
This obligation can be contracted out only in B2B relations. European law- 
giver seems to understand that electronic orders are customarily confirmed by 
electronic means and raises these common practices to the level of law (Po- 
lanski (2007)). However, the question arises about the relationship of this ob- 
ligation to the duty to confirm pre-contractual information to consumers on 
paper or another durable medium. Do online entrepreneurs have to use non- 
electronic mediums in conjunction with electronic ones to fulfill obligations 


227 





arising out of consumer directives or risk the extension of the withdrawal pe- 
riod? The reading of the directives seems to indicate so, despite the potential 
to interpret “durable medium” requirement as embracing technologies such as 
email or webpages. Recital 13 of the directive 97/7/EC makes it clear that “in- 
formation disseminated by certain electronic technologies is often ephemeral 
in nature insofar as it is not received on a permanent medium.” Therefore, in 
B2C transactions it is advisable to confirm transactions swiftly using electro- 
nic means as well as to resort to confirmation in writing of pre-contractual in- 
formation required by consumer directives. 


4.2 Right of withdrawal 


European consumers were granted very important right, which allows them to 
escape a contract concluded by electronic means without giving any reason 
and without penalty within a set period of time. Depending on the subject mat- 
ter of a distance contracts, directives established the minimal period for with- 
drawal to seven days in case of non-financial contracts and to fourteen or thirty 
calendar days in case of financial services. In the former case of the withdra- 
wal period can be extended to three months provided that a service provider 
fails to confirm business information in writing or in durable medium. 


Consumers therefore bear almost no risk with respect to distance con- 
tracts. In case they decide to exercise their right, the only penalty would be the 
direct cost of returning the goods. The supplier has to reimburse the consumer 
free of charge and within 30 days. Any relevant credit agreements should also 
be cancelled without penalty. However, certain types of transactions will exc- 
luded from the application of this principle. For instance, contracts for goods 
or services with fluctuating prices or transactions concerning sealed computer 
programs will not be subject to the right of withdrawal for obvious reasons. 


In case of financial services, if the consumer exercises his right of wi- 
thdrawal he shall, before the expiry of the deadline, notify this fact following 
the practical instructions given to him by means which can be proved in ac- 
cordance with national law. The directive 2002/65/EC clarifies that the de- 
adline will be considered observed, if the notification is on paper or on another 
durable medium available and accessible to the recipient and is dispatched be- 
fore the deadline expires. 


On the other hand, online professionals do not have a right to withdraw 
from a contract. However, the directive on electronic commerce imposed ano- 
ther obligation on information society service providers to make available to 
the recipient of the service “appropriate, effective and accessible technical 
means allowing him to identify and correct input errors, prior to the placing 


228 


of the order” (art. 11 § 2). Although the directive leaves to the member states 
to decide on sanctions for the failure to provide such mechanisms, one must 
bear in mind that the newest UN Convention on the Use of Electronic Com- 
munications in International Contracts permits natural persons to withdraw 
from a portion of electronic communications in such circumstances (article 
14). 


4.3 Advertising 


Directive 2000/31/EC on electronic commerce supplements existing instru- 
ments harmonising rules relating to commercial communication or advertising 
in the European Union. It defines commercial communication as ,,any form of 
communication designed to promote, directly or indirectly, the goods, services 
or image of a company, organisation or person pursuing a commercial, indus- 
trial or craft activity or exercising a regulated profession.” Consequently, com- 
mercial communication must be clearly identifiable as such and promotional 
offers should have easy to access and understand conditions. 

However, the directive introduced a very important rule permitting reg- 
ulated professions to advertise online. This provision opened a window of op- 
portunities to professions that were traditionally excluded from media due to 
legal restrictions in their countries. For instance, legal profession is now free 
to use webpages as means of advertising their services. What is even more per- 
plexing is the fact that the new directive on services followed this path and ex- 
tended this permission to all media. As article 24 of the services directive put 
it “Member States shall remove all total prohibitions on commercial commu- 
nications by the regulated professions.” 

On the other hand, the directive on electronic commerce introduced a 
rather unfortunate provision permitting the so called unsolicited communica- 
tion or spam. It took European institutions two years to realize that opt-out reg- 
istries serve only as a source of confirmed email addresses for spammers. The 
directive 2002/58/EC introduced the so called opt-in model, which requires 
the prior consent of the user. However, the usage of the “true” spam, which 
conceals the identity of the sender is absolutely prohibited. On the other hand, 
the new system permitted email campaigns with respect to old clientele of an 
online entrepreneur (art. 13). One must also bear in mind that spam has been 
recognised as a unfair commercial practice in the newest instruments aimed at 
the protection of consumers. 


4.4 Liability of intermediaries 


Finally, the directive on electronic commerce contains very important rules 


229 





that effectively exclude the liability of intermediaries such as telecommunica- 
tion and hosting service providers. Article 15 of the directive has not imposed 
a general obligation to monitor the information which ISPs, hosting or caching 
service providers transmit. Furthermore, those subjects were freed from an ob- 
ligation to actively seek facts indicating illegal activity. On the other hand, the 
directive gave a leeway to member states to establish obligations to promptly 
inform the competent public authorities of such activities enabling at their re- 
quest the identification of recipients of their service with which they have a 
contractual relationship. Hence, in certain situations, data protection legislation 
might not be an obstacle to the submission of personal data to public authori- 
ties. 

Furthermore, the provisions on the liability of intermediaries enlisted a 
different set of conditions pertaining to different categories of intermediaries, 
which ensure the immunity. The ISPs have to prove that they have not initiated 
a transfer and have not modified it. On the other hand, caching service 
providers will have to comply with numerous other requirements, including 
those that are customarily adhered to in the industry. Finally hosing service 
providers will remain immune if they demonstrate that they were unaware of 
the illegal activity conducted on their servers but once they learnt, they have 
quickly disabled access to such information. In all these situations, however, 
the courts of member states or other authorities were given a possibility to ter- 
minate the provision of illegal services. 

The problem of liability of intermediaries is especially visible in the con- 
text of P2P networks and the so called Web 2.0 portals. The directive 
2001/29/EC has not sorted out these problems as it was adopted when file- 
sharing networks were just about to explode with content. On the other hand, 
the directive on electronic commerce concerning the liability of hosting 
providers might be difficult to extend to the owners of large portals, which 
“host” the content stored by their users. It remains therefore unclear whether 
websites such as MySpace may rely on article 14 defence to avoid liability for 
the content posted by their users. 


5. Conclusion 


The Community framework for electronic commerce remains one of the most 
advanced in the world. At the same time, the rapid pace of technological change 
and innovation in business methods of conducting e-business made certain pro- 
visions redundant or actually unnecessary. It is especially visible in the area of 
consumer protection, where consumers are protected against certain actions of 
businesses, which are reasonable and do not really affect the security of non- 
professional parties. At the same time, certain steps taken to prevent, for in- 


230 


stance, malicious spam turned out to be a mistake, which had to be quickly 
rectified. However, even a sudden change has not stopped the phenomenon of 
unsolicited commercial communication due to technological limitations of cur- 
rent technology, which cannot effectively deal with randomly generated emails 
and graphical content replacing text. 


At the same time, certain developments clearly encouraged the growth of 
electronic commerce in the Internal Market. One such important motivator was 
the country of origin principle from the directive on electronic commerce and 
the directive on electronic signatures. Although difficult to read, it nevertheless 
conveyed a message that it is sufficient to fulfil the requirements of the coun- 
try of origin to be able to supply information society services across the Com- 
munity. The abandonment of authorisation schemes, permission of regulated 
professions to advertise online, prohibition of spam, recognition of electronic 
contracts and electronic confirmations of orders and removal of the liability of 
intermediaries sent further encouraging signals to online entrepreneurs. On the 
other hand, the rise of consumers’ confidence was ensured through the adop- 
tion of the right of withdrawal from a distant contract in case of traditional and 
financial services without giving any reason. These and numerous other pro- 
visions were aimed to create a balance between the expectations of entrepre- 
neurs and consumers alike, which — I think — has been achieved. However, still 
much needs to be done to achieve a similar balance between the interests of the 
copyright holders and information consumers. 


Bibliography 


1) COM(2003) 702 final (21.11.2003). First Report on the application of Directive 
2003/31/EC of the European Parliament and of the Council of 8 June 2000-on certain 
legal aspects of information society services, in particular, electronic commerce, in the 
Internal Market (Directive on electronic commerce). Brussels: 1-25. 

OJ L178/1 (12.11.2000). Directive 2000/31/EC of the European Parliament and of the 
Council of 8 June 2000 on certain legal aspects of information society services, in par- 
ticular electronic commerce, in the Internal Market (Directive on Electronic Com- 
merce). OJ L178/1 


OJ L201/37 (31.07.2002). Directive 2002/58/EC of the European Parliament and of 
the Council of 12 July 2002 concerning the processing of personal data and the pro- 
tection of privacy in the electronic communications sector (Directive on privacy and 
electronic communications). OJ L201/37 

OJ L204/37 (21.07.1998). Directive 98/34/EC of the European Parliament and of the 
Council of 22 June 1998 laying down a procedure for the provision of information in 
the field of technical standards and regulations. OJ L204/37 

OJ L271/16 (9.10.2002). Directive 2002/65/EC of the European Parliament and of the 
Council of 23 September 2002 concerning the distance marketing of consumer finan- 
cial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 
98/27/EC. OJ 1271/16 


2 


~~ 


3 


— 


4 


N 


5 


a 


231 








6) OJ 1345/90 (31.12.2003). Directive 2003/98/EC of the European Parliament and of 
the Council of 17 November 2003 on the re-use of public sector information. OJ 
1345/90 

7) OJ L 13/12 (19.01.2000). Directive 1999/93/EC of the European Parliament and of the 

Council of 13 December 1999 on a Community framework for electronic signatures. OJ 

L 13/12, 

OJ L 15/24 (17.01.2002). Directive 2001/115/EC of the Council of 22 December 2001 

amending Directive 77/388/EEC with a view to simplifying, modernising and harmon- 

ising the conditions laid down for invoicing in respect of value added tax. OJ L 15/24 

OJ L 77/20 (27.3.1996). Directive 96/9/EC of the European Parliament and of the 

Council of 11 March 1996 on the legal protection of databases. OJ L 77/20, 

10) OJ L 122/42 (17.5.1991). Council Directive 91/250/EEC of 14 May 1991 on the legal 
protection of computer programs. OJ L 122/42, 

11) OJ L 128/41 (15.5.2002). Directive 2002/38/EC of 7 May 2002 of the Council amend- 
ing and amending temporarily Directive 77/388/EEC as regards the value added tax 
arrangements applicable to radio and television broadcasting services and certain elec- 
tronically supplied services. OJ L 128/41 

12) OJ L 134/1 (30.4.2004). Directive 2004/17/EC of the European Parliament and of the 
Council of 31 March 2004 coordinating the procurement procedures of entities oper- 
ating in the water, energy, transport and postal services sectors. OJ L 134/1 

13) OJ L 134/114 (30.4.2004). Directive 2004/18/EC of the European Parliament and of the 
Council of 31 March 2004 on the coordination of procedures for the award of public 
works contracts, public supply contracts and public service contracts. OJ L 134/114 

14) OJ L 144/19 (04.06.1997). Directive 97/7/EC of the European Parliament and of the 
Council of 20 May 1997 on the protection of consumers in respect of distance con- 
tracts. OJ L 144/19 

15) OJ L 159/16 (2.06.2004). Directive 2004/48/EC of the European Parliament and of the 
Council of 29 April 2004 on the enforcement of intellectual property rights. OJ L 159/16 

16) OJ L 167/10 (22.06.2001). Directive 2001/29/EC of the European Parliament and of the 
Council of 22 May 2001 on the harmonisation of certain aspects of copyright and re- 
lated rights in the information society. OJ L 167/10 

17) OJ L 174/5 (28.06.2006). Directive 2006/58/EC of 27 June 2006 of the Council amend- 
ing Council Directive 2002/38/EC as regards the period of application of the value 
added tax arrangements applicable to radio and television broadcasting services and 
certain electronically supplied services. OJ L 174/5, 

18) OJ L 275/39 (27.10.2000). Directive 2000/46/EC of the European Parliament and of the 
Council of 18 September 2000 on the taking up, pursuit of and prudential supervision 
of the business of electronic money institutions. OJ L 275/39 

19) OJ L 376/36 (27.12.2006). Directive 2006/123/EC of the European Parliament and of 
the Council of 12 December 2006 on services in the internal market. OJ L 376/36 

20) Polanski, P. P. (2007). Customary Law of the Internet: In the Search for a Suprana- 
tional Cyberspace Law. The Hague, T.M.C. Asser Press. 

21) WIPO (1996) Copyright Treaty (adopted in Geneva on December 20, 1996), Available 
at: http://www.wipo.int/clea/docs/en/wo/wo033en.htm, Accessed: 18/06/2007. 

22) WIPO (1996) Performances and Phonograms Treaty (adopted in Geneva on Decem- 

ber 20, 1996), Available at: http://www.wipo.int/clea/docs/en/wo/wo034en.htm, Ac- 
cessed: 18/06/2007. 


8 


— 


9 


— 


232 


The Impact of Legal challenges on the Evolution of 
Shopbots and Metabots 


Yun Wan & Qi Zhu 


Assistant Professors of Computer Information Systems and Computer Science 
School of Arts and Sciences 
University of Houston, Victoria 
{wany, zhuq}@uhv.edu 


Abstract. On the backdrop of Coase theorem, this paper 
analyzed four major lawsuits in the nascent stage of electronic com- 
merce from 1994 to 2002. These lawsuits were all between Web-based 
agents, comparison-shopping agents or shopbots, and MetaBots. They 
have significant impact on this emerging electronic commerce sector. 
The focus of this paper is exploring how these lawsuits influenced the 
evolution of the shopbots and MetaBots. We demonstrated that legal 
challenges could greatly influence the evolution path of comparison- 
shopping technologies and their business models. In this case, the favo- 
rable legal environment for shopbots makes this category prosperous 
and fully developed while the unfavorable legal environment on the Me- 
taBots makes it less developed. 


1. Introduction 


The Web provides an ideal opportunity for more efficient information broking 
models (Maes, 1994). As a result, we see numerous Web-based agents émer- 
ged since 1994 and they are either the Web extension of traditional agents or 
Web-only agents. 


For example, A Web-based auction agent like eBay could reach poten- 
tially unlimited number of participants compared with limited scope in both 
participants and items available for auction of its brick-and-mortar counter- 
part. A Web-based traveling agent like expedia.com could seamlessly inte- 
grate airfare, hotel, and car-rental service. They can then cross-sell traveling 
products when travelers planning their trip online. Former premium ticketing 
agent, TicketMaster, also have its online presence, ticketmaster.com, which es- 
sentially transformed itself into a Web-based ticketing agents. 


The Web also provides powerful technology to allow shoppers to com- 
pare price information of the same or similar products and services from one 
place instead of visiting multiple sites. We call such technology comparison- 
shopping agents or shopbots because they serve as buyers’ agent to retrieve 
price information from other websites (Wan, Menon, & Ramaprasad, 2003). 


233 


These shopbots dis-intermediated traditional role of agents because they were 
competing for the same customer. However, shopbots are able to re-package the 
information they collected in a more efficient way. 


There is a natural limit on the number of websites a shopbots could han- 
dle so one shopbot would not be able to cover all sites a user want to search. 
As a result, shopbots emerged and distributed unevenly with both overlapping 
coverage and their own unique coverage. Thus, another type of shopbots or 
so-called MetaBots emerged. Instead of searching websites directly, MetaBots 
search those shopbots and retrieve and aggregate the information from the lat- 
ter (Etzioni, 1997). 


As we will illustrate in this paper, the legal challenges for these three 
type of emerging Web-based technology and business models are Web-unique 
and, in some circumstances, rather complex. The consequence of lawsuits for 
them greatly influenced the evolution path of these three categories, especially 
for the two Web-only categories, Shopbots and MetaBots. 


Essentially, shopbots end up with a more favorable legal environment 
than MetaBots in terms of their information retrieval behavior. And consequ- 
ently, the former developed into a fully maturity business model while the lat- 
ter largely stalled in its development. 


2. The Problem on Information Ownership 


The aforementioned legal challenges focus on the fundamental issue in B2C 
electronic commerce: the ownership of information. 


According to Coase theorem (Coase, 1960), regardless of the initial al- 
location of property rights and choice of remedial protection, the market will 
determine ultimate allocations of legal entitlements, based on their relative 
value to different parties. If we regard information as a new property and its 
ownership is not clear, then the problem on information ownership on the Web 
provides an interesting case to examine Coase theorem in a new perspective. 


Depending on the generation mechanism, there are at least three types 
of information being produced, exchanged, and consumed in B2C electronic 
commerce. They are information generated by consumer, online vendor, and in- 
formation agents. 


The information produced by consumers could be further classified into 
at least two categories: those being produced solely by consumers and those co- 
produced. with other consumers as well as vendors and/or agents. 


For example, a comment to a specific product written and submitted by 
a consumer is a piece information produced directly and solely by consumers; 


234 


while the accumulated rating information to a seller on eBay provided by buy- 
ers is a piece of co-produced information by both the consumers, which inclu- 
ding sellers and buyers, and eBay, the auction agent. 


The information produced by online vendors could also be further clas- 
sified into at least two categories: those being produced solely by vendors and 
those being co-produced by vendors and manufacturers. 


For example, the price information for a specific product on the vendo- 
r’s website is, in most cases, solely produced by the vendor. However, the pro- 
duct specification information, though displayed on the vendor sites, is most 
probably provided by the product manufacturer. 


The information produced by Web agents is almost always co-produ- 
ced. The role of agents is essentially retrieving information from consumers or 
vendors and then processing this information in a value-added way for the for- 
mers. Some agents, instead of dealing with consumers and vendors directly, 
retrieve information from other agents, which further complicated the infor- 
mation ownership clarification. The most noteworthy example is the compari- 
son-shopping agents or shopbots and meta-agents or Metabots. The former 
collect price information from online vendors for the same products while the 
latter collect similar information from the formers thus saving the consumers’ 
time to search more than one comparison-shopping sites. 


Since in virtual world, information is costly to produce but costlessly to 
be retrieved and reproduced, the value-added processing performed by most 
agents could be largely automated. Thus, the central problem becomes how to 
delineate the ownership boundaries of information in B2C electronic com- 
merce in a way that could not only compensate information producers but also 
encourage beneficial value-added processes. 


There is little disagreement for information being generated by consu- 
mers or vendors due to pre-agreement when such information was provided. 
For example, when consumers provide their comments and ratings to a product 
on eBay or Epinion.com, they have to agree that such information belongs to 
the Site. Such agreements avoid possible argument in the future though we do 
not know they are fair to consumers or not. 


The information repackaged by agents is more complex. One important 
cause is such information is usually produced for free to be reviewed by con- 
sumers but other agents, be it shopbots or MetaBots, could also “review” it wi- 
thout being noticed, which leaves room for arguments. For information 
repackaged by shopbots, there is anther source of ambiguity. In early stage, 
shopbots collected product price information from vendor websites and in 
many case, without the formal approval of online vendors. When a Metabot 


235 


tries to retrieve and repackage the same piece of information from shopbots, in 
addition to the same cause of “free for review,” shopbots also have little stand 
to protect their information via ownership. It depends largely on legal rulings 
to decide who are favored in such case. 


Next, we will first give a brief illustration of shopbots or comparison 
shopping agents and the Web-based service category they created. 


3. The Case of Shopbots and Comparison-Shopping 
Services 


Since the first launch of BargainFinder in 1995, comparison-shopping as an 
effective online shopping mode attracts millions of consumers as well as large 
number of small vendors. It also inspired the creativity of at least two genera- 
tions of techno-entrepreneurs to develop ingénue shopbots that could retrieve 
more and more complex product information(Wan, 2005). 


However, this category of B2C ecommerce also experienced the most 
complicated legal challenges. As a result, the evolution of this information in- 
dustry category was probably more influenced by its lawsuits than technology 
advances. 


To be familiar with the details of the legal challenges in comparison- 
shopping services, we need to first introduce some typical scenarios of online 
shopping as well as what are the roles of comparison-shopping services: 


Suppose an online shopper visits an online store like bestbuy.com to 
look for the price of a digital camera and then click through to another online 
store like Amazon.com for the price of the same camera. Both are certainly le- 
gitimate actions. Now if we step further and suppose that this online shopper 
employ a shopping assistant and this assistant, representing the shopper, visit 
these two stores and retrieved the price for the online shopper — is this legiti- 
mate? 

This is exactly what comparison-shopping agent, BargainFinder, did in 
1995 and such query did receive blockade by some online music vendors (Krul- 
wich, 1996). So the first legal challenge is if online vendors have the rights to 
block the query of comparison-shopping agents? 

Now we step even further, suppose a comparison-shopping agent visits 
these two online stores and then cached the price of the same digital camera and 
then allow all incoming online shoppers to retrieve the price without going 
back to these two stores repeatedly, is this legitimate? 


This is the general practice of most comparison-shopping agents(Choi, 
2001; Jeanette, 2004; Rebecca, 1999). By caching the price information from 


236 


online vendors, they improve the efficiency of both themselves and online ven- 
dors. However, if data is retained on agents’ database, the legal risk of agents 
arises unless online vendors could benefit from such actions. 


So far, the potential legal risks of comparison-shopping services were 
just between online vendors and agents. Yet, the true challenge for comparison- 
shopping services lies in the data extraction among agents themselves. 


Again, suppose there is a comparison-shopping agent that does not col- 
lect price information from online vendors. Instead, it collects such informa- 
tion from a few other comparison-shopping agents (such agents are usually 
called “Meta-Search” agents or Metabots). So do the latter have the right to 
prohibit the former from querying its own search engine? Should the former 
compensate the latter or the vendor? 


Also, many comparison-shopping service provide rating information on 
products, vendors and consumers/buyers (on auction site). Will such informa- 
tion be transferable with the producer or it has to be retained by the site where 
the information was originally retained? 


With these preliminary questions, in next section, we reviewed the de- 
velopment of comparison-shopping services and examine how legal challen- 
ges influenced its development track and techno-business model. 


For the convenience of illustration, we divide its evolution history from 
1995 to 2005 into three stages: major conflicts of stakeholders and the resul- 
ting legal challenges and its influence are discussed within these stages. 


4. The Nascent Stage (1995~96): The Dilemma of Vendors 


The early stage of comparison-shopping service mainly revolved around the 
online vendors and shopbots. The central legal challenge is whether shopbots 
has the right to collect information from vendor sites? Or it can be asked in 
another way: whether one should be allowed to deep-link to another websites 
without permission? 


Back in 1995, when BargainFinder was first launched, there are two dif- 
ferent vendor attitudes: cooperation and blockade. Typically, small online ven- 
dors prefer to be searched by shopbots while more popular online vendors were 
hesitating (Krulwich, 1996). 


For small online vendors, they major business hurdle is visibility(Wan, 
2005). They usually could offer competitive price but their websites could only 
reach limited number of consumers due to budge constraint on advertising. 
The comparison-shopping service works like an indirect promotion and leve- 
led their competition ground with more established competitors, which usu- 


237 


ally asked higher price for the same product. Thus, they generally prefer the 
crawling of shopbots. 


For established popular online vendors, since they usually charge pre- 
mium price, they were afraid of losing their business when being compared 
for price only. Also, many popular online vendors generated their revenue from 
banner ads from their website, the link used by shopbots would bring the shop- 
per to the product page directly, thus potentially reduced their ad revenue tho- 
ugh it could be that this additional revenue might not happen if without the 
referral of shopbots. 


However, there are also potential gains from being listed in a compari- 
son-shopping service for vendors in both categories because it turned out on- 
line shoppers are not mere bargainfinders but also concern about service 
qualities as revealed by later studies (Brynjolfsson & Smith, 2000). Thus, po- 
pular vendors probably could also benefit from being listed in a shopbots. This 
was confirmed later with the popularity of comparison-shopping services. 


Driven by this new ecommerce opportunity, techno-entrepreneurs quic- 
kly scaled up the coverage of comparison-shopping service to a wider range of 
product categories. 


Among them, killerapp.com and pricewatch.com were the earliest com- 
parison-shopping services in online retailing (Peter, 1998). They were laun- 
ched in 1995 and both started in computer and electronic category. Meanwhile, 
due to the innate agent-mediated nature, personal finance and insurance were 
the other two product and service categories that attracted a lot of comparison- 
shopping services. Some of them were former agents in their respective field 
that essentially automated their services. 


Because of the relatively nascent stage and limited coverage of product 
and services by comparison-shopping, in the first two years of this new inter- 
net technology in operation, there were few lawsuits. 

There was no legal lawsuit directly addressing comparison-shopping se- 
rvice in the US, but a lawsuit launched in the late 1996 in Shetland, Scotland 
set a precedent on the deep linking problem shared by comparison-shopping se- 
rvices. 


In this lawsuit, a former employee of a local newspaper on Shetland 
launched a news website and he linked some news on the local newspaper’s 
website to his new website. The Scotland court issued an interim interdict ban- 
ning the links. Before the case was ruled by the court, the two publishers set- 
tled the case. 


Though there was no formal ruling for this lawsuit, the intention of the 
court from its interim interdict was limit the extent of deep link. From long 


238 


term perspective, such interim interdict discouraged innovative Web uses. Pro- 
bably that is the reason why for similar cases in the US, the rulings were op- 
posite. 


On the other side, this is also a thinking held even by Web inventor. For 
example, in his memoir(Berners-Lee, 2000), Tim Berners-Lee indicated that 
“the fundamental principle behind the Web was that once someone somewhere 
made available a document, database, graphic, sound, video, or screen at some 
stage in an interactive dialogue, it should be accessible (subject to authoriza- 
tion, of course) by anyone, with any type of computer, in any country.” (Italic 
was added for emphasis). 


5. The Rapid Growth (1997~02) 


The rapid growth in comparison-shopping service category started in 1997. 
Within one year, several major comparison-shopping startups launched and 
grew into major ecommerce portals including the leading shopbot, MySi- 
mon.com. 

Though, a few years before, the probing of shopbots to online vendors 
were frowned by the latter, soon both small and established online vendors re- 
alized that shopbots were not their foes but their free advertising channels 
(Wan, 2005). 

Many small online vendors began to proactively ask being listed on 
major shopbots. This became popular since 1997 and gradually, those major 
shopbots in retailing industry began to charge a listing fee for the services. This 
in turn begot another industry, the data feeding services that specializing in ad- 
ding online vendor’s products and prices to all kind of comparison-shopping 
services. 

There were complaints, but no high profile legal cases in online reta- 
iling sector between vendors and shopbots between this period (Plitch, 2002). 
However, among agents including both shopbots and Metabots, there were four 
notable lawsuits worth our attention. 

These legal disputes mainly evolved around two questions: 

e Should a Shopbot be allowed to collect information from an agent 

site without the consent of the owner? 

e Should a Metabot be allowed to collect information from a shopbot 

without the consent of the shopbot owner? 


The first types of lawsuits were mainly launched by traditional agents 
like Ticketmaster. Such agents depend on both Web advertising revenue and 
online brokerage to maintain their online presence. When shopbots retrieved 
the information from their website and then bring the consumer go to the pro- 


239 


duct page directly, or the so-called “deep link”, these agents felt threatened 
about their traditional agent role being eroded or even replaced. 

The second types of disputes were more complex: Since it is easier to re- 
trieve the price information from a single shopbot than from multiple online 
stores. A new type of shopbots called meta-shopbots or Metabots emerged 
since 1997. They searched a few well-known shopbots and aggregate infor- 
mation from these shopbots for consumers. Because of the technology advan- 
cement, sometimes, shopbots found themselves virtually impossible to block 
such probing by meta-shopbots, thus, the legal regulation became critical in 
this aspect. 

However, if legal measure was pursued, will the shopbot claim that the 
price and other product information it collected from online vendors its own in- 
tellectual property? Then how does it justify its own information collection ac- 
tion on online vendors? 

There were no existing laws and regulations directly address such be- 
havior at that time. As a result, when such lawsuits surfaced, the United States 
and Europe use different laws to interpret the situation. In the United States, the 
trespass of chattels clause was used; while in Europe, the sui generis provi- 
sions of the database directive was used. 

Next, we briefly illustrated these lawsuits (Table 1 in Appendix) in these 
two categories and analyzed how the court rulings affect the subsequent deve- 
lopment in comparison-shopping services. 


5.1. The two lawsuits by Ticketmaster 


There two lawsuits launched by Ticketmaster in 1997 and 1999 received a lot 
of media exposure and both address the first category: vendor and shopbots 
problem. 

Ticketmaster is a world leading ticketing company. It provides ticket 
sales, ticket resale services, marketing and distribution of event tickets and in- 
formation. It was also one of the earliest traditional agent businesses that uti- 
lizing the Web power to expand its market reach. 


The Ticketmaster vs. Microsoft lawsuit started on April 28, 1997 after 
Tickemaster broke its talk with Microsoft. Before that, Ticketmaster was ne- 
gotiating with Microsoft for a possible business relationship on an entertain- 
ment website launched by Microsoft called sidewalk. After the talk broke, 
Microsoft went ahead and provided hyperlinks on its sidewalk website to the 
ticket information page on Ticketmaster site directly and avoided the entry 
page, which has a lot of advertisements. Ticketmaster thus argued that a for- 
mal license agreement is required before anyone can link to its site. Mean- 


240 


while, Ticketmaster entered into an agreement with CitySearch, a competitor 
of Microsoft's sidewalk site. 


In its lawsuit against Microsoft, Ticketmaster claimed that: 1. the use of 
Ticketmaster's name and trademark in the unauthorized link dilutes the value 
of Ticketmaster's trademark and sponsorships with other companies (This claim 
referenced the 1995 Federal Trademark Dilution Act); and 2: Microsoft is pro- 
viding incorrect information on the payment methods accepted by Ticketma- 
ster. 


The lawsuit was settled without ruling in 1999 when these two compa- 
nies reached agreement. Microsoft sold its Sidewalk city guide service in 
exchange for an equity stake in Ticketmaster Online. 


The second lawsuit in this vein launched by Ticketmaster is against a 
relatively less well known site called Tickets.com. Tickets.com is an online 
provider of entertainment, sports and travel tickets. It provided hypertext links 
to Ticketmaster web pages for tickets not available at Tickets.com. Again, Tic- 
ketmaster sued tickets.com for copyright infringement as well as transferring 
customers to Web page deep within their site and this caused the customer to 
bypass the Ticketmaster home page, which has advertisements. 


The ruling came on March 27, 2000 in favor of Tickets.com. 


In addition to court ruling, public opinion largely stood on the side of tic- 
kets.com as well as Microsoft even though Microsoft is undergoing anti-trust 
lawsuit at that time. 


The ruling of the second lawsuit gives most comparison-shopping se- 
rvices the confidence to continue their existing business model. But on the 
shopbots vs. Metabots cases, the latter were consistently being in a disadvan- 
tageous position. The two most publicized lawsuits were Mysimon.com vs. 
Priceman.com and eBay vs. Bidder’s Edge. 


5.2. MySimon.com vs. Priceman.com 


Mysimon.com was one of the early comparison-shopping services. It became 
popular in 1997 and became the top players in this category. Priceman.com 
was a small Metabots Priceman.com was a Metabot launched by Neal Verman, 
a young computer consultant from Houston in 1998. 

On September 8, 1999, Josh Goldman, CEO of MySimon.com, noticed 
a much-publicized creative auction on eBay that selling 47.39% stake of a star- 
tup called priceman.com for $10 million. It turned out Priceman.com is a Me- 
tabot that searched prices information from multiple comparison-shopping sites 
including MySimon.com, then the largest one. According to Goldman, he 


241 


found Priceman.com used various background essays on comparison-shopping 
that ware written by MySimon employees with little or no changes. Thus My- 
Simon decided to file a lawsuit to Priceman for its violation of copyright (La- 
zarus, 1999). 


The legal claim by MySimon is cyber-trespass, which originated as an 
attempt to keep people from seidng unsolicited junk email to other computer 
systems. However, this claims was problematic in the case of Priceman be- 
cause Mysimon allow its site to be accessed by general public, which should 
include Priceman (Kaplan, 1999). 


Priceman ceased operation when MySimon launched the lawsuit and 
eventually closed its operation in 2000. 


5.3. eBay vs. Bidder’s Edge 


eBay vs. Bidder’s Edge was the most publicized lawsuits related to compari- 
son-shopping services. It is a lawsuit between shopbots and meta-shopbots. 
There are several important implications from this lawsuit, as we illustrate in 
this paper. 

In the late 1999, with the popularity of online auction, various auction 
services sites coming out. AuctionWatch.com and Bidder’s Edge were two le- 
ading auction service providers at that time. They provided auction news and 
review of ebay, ubid, onsale and other small auction sites. 


In late 1999, when competition heating up, many auction service provi- 
ders found it is necessary to have new features to attract users. One of the new 
features was providing comparison-shopping tools to allow users search an 
auction item across multiple auction sites including eBay. So these auction se- 
rvices sites essentially transformed their role into a meta-shopbot because eBay, 
as the broker between sellers and buyers, played the shopbot role. 


This was certainly a competitive feature for an auction service site, so in 
a short while, at least nine auction service sites began to provide similar se- 
rvices and all of them searched eBay because it is the largest online auction 
sites. 


This new feature irritated eBay, which had a 70% of online auction mar- 
ket share, because they feared that by allowing a consumer to compare auction 
items on eBay side-by-side with others so easily would make other smaller 
auction sites became popular and eroding the market share of eBay. Also, this 
would make the auction services sites became more popular and could poten- 
tially displace the leading position of eBay in online auction. 


Thus, in September, eBay issued a request to those auction service sites 


242 


and asked them to stop searching eBay sites. Bidder’s Edge became the first 
auction service site to comply with this request in August with a loss of 50 per- 
cent of the available auctions. However, soon Bidder’s Edge would realize that 
this could be a strategic mistake because AuctionWatch.com, its leading com- 
petitor in auction service, actually launched its own comparison-shopping tool 
in mid-September and allow users to search eBay and other auction sites under 
the pressures of legal threats from eBay. AuctionWatch.com also refused the li- 
censing offer by eBay, in which eBay would allow AuctionWatch.com to list 
its items but can not present them in the same results as those from other auc- 
tion sites, in other words, no comparison-shopping. 


In October 8, eBay sent a formal letter to AuctionWatch.com and asked 
it to stop culling auction listing from eBay’s site. AuctionWatch.com refused 
to comply. Meanwhile, since facts such as the price of an item and how much 
time is left in an action can’t be copyrighted, some legal experts thought eBay 
has little legal ground to stand on. Bidder’s Edge soon found that since other 
auction service sites continuing searching eBay without actual penalty, it would 
lose its competitive advantage in the competition if it stopped the searching 
by itself. So in November 2, Bidder’s Edge formally announced that it would 
resume the searching of eBay site. 


In November 4, eBay began to take first action by blocking the IP requ- 
est from AuctionWatch.com and filed a suite to prevent Bidder’s Edge from se- 
arching and displaying eBay’s auction listings on the Bidder’s Edge Web site. 
It turned out though both AuctionWatch.com and Bidder’s Edge were testing 
the limit of eBay, Auction Watch.com had another dimension of business rela- 
tionship with eBay so though it kept irritating eBay, eBay did not use legal me- 
asure against AuctionWatch.com. Actually In January 18, 2000, 
AuctionWatch.com used its new system to successfully work around eBay 
block and began to retrieve listings from eBay again. 


In February 7, Bidder’s Edge filed a countersuit against eBay and char- 
ging the company with anti-competitive actions. In April 14, the district court 
judge, Ronald Whyte, said in San Jose that he was leaning toward issuing an 
injunction that limit the ability of Bidder’s Edge to search eBay’s auctions and 
to display the results on its Web site. According to him, “(What) Bidder’s Edge 
was doing was potentially slowing down eBay servers and trespassing in a way 
that permission had not been granted.” This was partially in accordance with 
the argument to eBay attorney Janet Cullum, she said that searching and di- 
splaying amounts to trespassing and the information retrieved was intellectual 
property. 

In May 24, Ronald Whyte granted an injunction (went into effect in June 


243 





8) in eBay’s case against Bidder’s Edge ("Ebay, Inc vs. Bidder's Edge Inc, 
Order Granting Preliminary Injunction," 2000). However, Whyte de- 
nied a broader injunction based on eBay’s copyright and trademark claims. He 
also left open the possibility that Bidder’s Edge could continue to display links 
to eBay’s auction on it site. Two week’s later, Bidder’s Edge modified its se- 
arch of eBay by no longer listing its auctions along side those of Amazon.com, 
Yahoo and other auction sites. Meanwhile, Bidder’s Edge appealed the in- 
junction to the Ninth Circuit Court of Appeals. 


In June, 28 law professors from leading law schools in the country pu- 
blished a brief of Amici Curiae to support Bidder’s Edge in defending eBay’s 
claim ("eBay Inc. v. Bidder's Edge, Inc, United States Court of Appeals, Ninth 
Circuit, Case No. 00-15995," 2000). 


In February 15, 2001, Bidder’s Edge closed its site due to financial dif- 
ficulty. In March 1, eBay and Bidder’s Edge signed an agreement to end their 
legal dispute. Bidder’s Edge paid eBay an undisclosed amount of money and 
will drop its appeal of the injunction. Meanwhile, eBay established its licen- 
sed right of search model for auction service companies. 


In July 24, AuctionWatch.com agreed to stop searching eBay’s listings 
and in return, eBay named AuctionWatch.com as one of its preferred service 
providers. In 2003, AuctionWatch.com changed its name to Vendio.com. 


The eBay vs. Bidder’s Edge case showed us two different choices for 
Metabots. For Bidder’s Edge, because of its position of providing comparison- 
shopping for multiple shopbots including eBay, it was eventually crushed by 
the lawsuits even though there were many public supports behind it. For Auc- 
tionWatch, it gives up its Metabot position thus could continue to survive. 
These two cases largely deterred many later Metabot attempts. 


6. The Maturity: 2003 and forward 


After five rapid growth years and quite a few legal clarifications, the business 
model and technology infrastructure of comparison shopping service became 
mature. This is especially reflected in the online retailing category. 


Because of the active participation of online vendors, leading shopbots 
in this category grew exponentially. Also, without any legal risk, these shop- 
bots became the target of big ticket acquisitions. Thus, we witnessed the mer- 
ger and acquisition wave since 2003 and it reaches its climax in 2005 when the 
top 3 comparison-shopping services were subsequent acquired by established 
business in ecommerce and advertising industry. On the other side, the deve- 
lopment of Metabots in online retailing was stalled. There are almost no major 


244 


attempts to aggregate results from existing shopbots though it could further 
benefit the consumers. The ruling of eBay vs. Bidders’ edge as well as MySi- 
mon.com vs. Priceman.com deterred most innovators in this field though in 
some service categories like online travelling, Metabots like Kayak.com and 
Sidestep.com did draw some public attention since 2000, but their influence on 
overall electronic commerce market is rather limited. 


As a result, with the legal impacts at the formation stage of Web-based 
comparison-shopping industry, we observed a more concentrated format as it 
currently is with shopbots dominated the market while Metabots only scarcely 
exist. 


7. Conclusion 


In this paper we explored the legal challenges to formation of an emerging 
ecommerce market, comparison-shopping services. We analyzed the histori- 
cal development of this new business model and its co-evolution with the tech- 
nology and legal constraints. 


We demonstrated how new technologies brought unprecedented chal- 
lenges to existing laws and policies. Sometimes, such challenges could greatly 
influence the way the techno-business infrastructure develops for ecommerce. 
We illustrated how several legal rulings influenced the development track of 
two types of comparison-shopping technologies, the Shopbots and Metabots. 
Future research is needed to explore exactly how these impacts influenced the 
general welfare of consumers as well as innovation of technologies. 


References 


1. Berners-Lee, T. (2000). Weaving the Web: the original design of the World Wide Web 
by its inventor. New York, NY: HarperCollins. 

2. Brynjolfsson, E., & Smith, M. D. (2000). The Great Equalizer? Consumer Choice Be- 
havior at Internet Shopbots. Working Paper. 

3. Choi, J. (2001). A Customized Comparison-Shopping Agent. IEICE TRANS. COM- 
MUN., E84-B(6), 1694-1696. 

4. Coase, R. H. (1960). The problem of social cost. Journal of Law and Economics, 3, 1- 
44. 

5. eBay Inc. v. Bidder's Edge, Inc, United States Court of Appeals, Ninth Circuit, Case No. 
00-15995 [Electronic (2000). Version]. Brief of Amici Curiae in Support of Bidder's 
Edge, Inc. 

6. Ebay, Inc vs. Bidder's Edge Inc, Order Granting Preliminary Injunction, C-99-21200 
RMW C.F.R. (2000). 


7. Etzioni, O. (1997). Moving Up the Information Food Chain: Deploying Softbots on the 
World Wide Web. AI Magazine, 18(2), 11-18. 


245 





8. Jeanette, B. (2004). Technology (A Special Report); Lost in Traffic: The boom in com- 
parison-shopping sites threatens to squeeze out smaller businesses; Here's how the lit- 
tle guy can survive. Wall Street Journal, R.9. 
9. Kaplan, C. S. (1999). A search site for search sites is accused of trespassing. Cyber Law 
Journal. 
10. Krulwich, B. (1996). The BargainFinder Agent: Comparison Price Shopping on the In- 
ternet. In J. Williams (Ed.), Bots, and Other Internet Beasties (pp. 257-263). Indiana- 
polis: Macmillan Computer Publishing. 
11. Lazarus, D. (1999). MySimon.com Says Startup Stole Ideas. San Francisco Chronicle, 
p. 1. 
12. Maes, P. (1994). Agents that reduce work and information overload. Communications 
of the ACM, 37(7), 30-40. 
13. Peter, J. (1998). Shopbots: Shopping robots for electronic commerce. Online, 22(4), 14. 
14. Plitch, P. (2002). E-Commerce (A Special Report): The Rules --- Law: Are Bots Legal? 
--- Comparison-shopping sites say they make the Web manageable; Critics say they 
trespass. Wall Street Journal, 240(54), R.13. 

. Rebecca, Q. (1999). 'Find Anything' at Junglee.com -- Well, Almost. Wall Street Jour- 
nal, B.1. 

16. Wan, Y. (2005). Comparison-Shopping as an Emerging Channel to Increase Web Visi- 
bility for Small- and Medium-sized Enterprises (SME) in the United States. In N. A. 
Al-Qirim (Ed.), Global Electronic Business Research: Opportunities and Directions 
(pp. 214-237). Hershey, PA: Idea Group. 

17. Wan, Y., Menon, S., & Ramaprasad, A. (2003). A Classification of Comparison-shop- 
ping Agents. Paper presented at the Fifth International Conference on Electronic Com- 
merce, Pittsburgh, PA. 


1 


ws 


Appendix 


Table 1: Four major lawsuits between 1997~2002 






Filed 
1997 
1999 
2000 






246 


Cross-border business in the European Union and 
statutory disclosure requirements: using IT as a catalyst 
for further market integration 


Kristof MARESCEAU 


K. Maresceau is a researcher at the Financial Law Institute, Ghent University 
(Belgium). In that position he is preparing a doctoral thesis on a possible 
‘Delaware’-effect in the European Union. 


Contact: Kristof. Maresceau@ugent.be 
Michel TISON 


M. Tison is professor of financial and commercial law at the Financial Law 
Institute, 
Ghent University (Belgium). 


Contact: Michel. Tison@ugent.be 


Abstract. This paper highlights the gap between the opportunities for 
EU-companies to fully exploit their freedom of establishment on the one 
hand and the obstacles flowing from the mainly national organisation 
of information filing requirements through business registers on the 
other hand. From the point of view of companies, this gap partly neu- 
tralises the efforts replayed both in EU regulation and ECJ jurisprudence 
to guarantee the freedom of establishment. Companies are not only often 
obliged to file the same information in different countries but, due to the 
lack of information sharing between the countries in which they are es- 
tablished, investors, creditors and other stakeholders may suffer infor- 
mation asymmetries. We analyse the possible legal approaches towards 
organising the filing of information in a network model. The design of 
a technical solution to improve the cross-border sharing of corporate 
data in order to decrease administrative burdens on the freedom lies at 
the heart of the BRITE project. BRITE wishes to increase the interop- 
erability of business registers, not only with a view to facilitating the 
cross-border establishment of companies, but also as a tool for other 
users (including public authorities) who can benefit from the better dis- 
semination of public company data and the possibility to aggregate data 
at a European level. We submit that the European lawmakers have not 
yet fully exploited the possibilities offered by linking national public in- 
formation systems into networks, although the Transparency Directive 
does envisage a network approach as regards the dissemination of com- 
pany and financial information by listed companies. 


1. Introduction 


One of the main objectives of the European Union is to promote throughout the 
Community a harmonious, balanced and sustainable development of economic 
activities (Article 2 EC Treaty). The creation of a single European market, of 


247 


which the internal market is a fundamental component, is believed to be the 
most important way to achieve this ambitious goal (Article 3, 1), c) EC Treaty). 
By the abolition of obstacles to the free movement of goods, persons, services 
and capital, the European Union wishes to make of the integrated European 
market world’s most competitive and dynamic market (Lisbon European Coun- 
cil 2000). 


As a part of this project, the European Community is aiming at the 
‘transnationalisation’ of companies, i.e. the process by which companies extend 
their economic activities to other Member States than those where they are in- 
corporated. [1] In this way competition between companies or firms deploying 
economic activities in the European Union will increase. This should in turn re- 
sult in better company performance and thus in lower prices for consumers. It 
is precisely with this objective that the EC Treaty grants the freedom of estab- 
lishment to companies or firms formed in accordance with the law of a Mem- 
ber State and having their registered office, central administration or principal 
place of business within the Community (which we call hereafter ‘EU-com- 
panies’) (Article 43 in combination with 48 EC Treaty). Hence, the freedom of 
establishment has a clear economic function as it is one of the most significant 
tools to increase the mobility of factors of production. An overview of the con- 
tent of the freedom of establishment as currently envisaged by the European 
Court of Justice will be provided in section 2. 


However, the achievement of the freedom of establishment cannot be 
realised solely by the Treaty. Notwithstanding the direct applicability of the 
principle of freedom of establishment in the legal order of the EU Member 
States [2], the cross-border establishment of companies involves the submis- 
sion to local rules in the state of establishment designed to protect various 
stakeholders (creditors, shareholders etc.). In order to eliminate the costs as- 
sociated with the disparities of regulations across EU Member States, the 
Treaty has vested the European legislator with powers to adopt harmonization 
directives (Article 44 EC Treaty). As regards the setting-up and the cross-bor- 
der establishment of companies, part of this harmonization relates to the dis- 
closure of corporate information [3]. Section 3 will look into the filing 
obligations of private and public limited companies as well as the access to 
that information. This analysis will demonstrate that, in the present stage of 
EU harmonization, the cross-border establishment of companies still involves 
substantial costs due to the mere national organisation of business registers and 
the limited access possibilities to these registers. 


In section 4, we develop the viewpoint that, taking into account the mod- 
ification of the First Company Law Directive (Directive 68/151/EEC), the cur- 
rent European regulatory framework regarding the dissemination of corporate 


248 


information still lags behind the possibilities offered by today’s information 
and communication technologies. In order to eliminate multiple filing of iden- 
tical information in different countries when taking advantage of the freedom 
of cross-border establishment, three theoretical models will be presented with 
their different impact on the accessibility of the information by end-users. 
However, in the light of the present legal framework, only one model could 
and should effectively be implemented. 


Section 5 will give some comments on the BRITE project, the aim of 
which is to create a platform offering advanced features regarding the inter- 
connection and interoperability of business registers across Europe. This re- 
search project further explores the possibilities to improve the delivery as well 
as the retrieval of company and financial data in a significant way. If its tech- 
nical solution would be in place, the ‘several-stop-shop’ concept in terms of de- 
livery, as currently envisaged within European company law, could evolve 
towards a ‘one stop shop’-system, and trigger a simplification of the European 
legal framework while reducing regulatory costs for businesses. 


Section 6 will stress the potential advantages of the BRITE platform for 
many users in other areas of economic life. The prospect of value added serv- 
ices that enhance the transparency of business registers opens up opportunities 
for adequately using business register data in the fight against money launder- 
ing and terrorism financing in particularly. Also the linkage between business 
registers and officially appointed mechanisms (OAMs) to be set up for the dis- 
semination of information by listed companies could contribute to better per- 
forming securities markets and more investor protection through improved 
access to relevant information. 


We will conclude with the standpoint that the realization of a system of 
cross-border and cross-domain interoperability of company data is currently 
feasible. This technical platform, in combination with a simplification of the 
current legal framework, could do its part in the ongoing efforts for the estab- 
lishment of a true European single market. However, further research will be 
needed to assess the consequences of the increased mobility and use of busi- 
ness register data on privacy protection, as the European Data Protection Di- 
rective (Directive 95/46/EC) does not seem to be fully adapted to this 
evolution. 


2. Recent developments in the field of freedom of 
establishment 


At first glance, the Articles 43 and 48 of the EC Treaty provide the necessary 
conditions for companies to be able to fully exercise their freedom of estab- 


249 


lishment. These provisions amount to a clear prohibition for Member States to 
restrict the setting-up on their territories of agencies, branches or subsidiaries 
established in their territory (i.e. a secondary establishment) It further clarifies 
that EU companies have the right to take up and pursue activities and to set up 
and manage other EU companies under the conditions laid down for its own na- 
tionals by the law of the country where such establishment is effected. 


However, since the EC Treaty came into force, numerous legal obstacles 
prevented companies from enjoying the same freedom of movement as natu- 
ral persons. After a wave of harmonisation which brought down many burdens 
on the cross-border mobility of companies, the regulatory activity came to a 
dead end. The lack of further legislation on the mutual recognition of EU-com- 
panies, on the retention of legal personality in the event of cross-border seat 
transfer and on the possibility of mergers between companies or firms gov- 
erned by the laws of different countries (Article 293 EC Treaty), constituted a 
restraint on the exercise by EU-companies of the freedom of establishment. 
(Wymeersch, 2003) The yawning gap between European company law sys- 
tems that adhere to the so-called ‘Incorporation theory’ on the one hand and 
those that follow the ‘Real Seat theory’ on the other hand symbolised the po- 
litical interests at stake [4]. (Hirt, 2004) Irrespective of the company law sys- 
tem, Member States took measures to prevent the circumvention of their 
national legislation, thus creating market fragmentation. 


In the last decade the European Court of Justice (ECJ), through a num- 
ber of landmark judgments [5], has played a pronounced pro-active role in im- 
proving the conditions for cross-border establishment of companies in Europe. 
As a result of these judgments, there is currently no doubt that Member States 
should allow companies that have been incorporated in other Member States 
to freely enter their territory, according to the rules under which they have been 
formed in their state of origin. (Omar, 2005) This ECJ case law has also trig- 
gered other significant regulatory developments in European company law. 
Member States eventually managed to reach the necessary agreement to adopt 
a Directive governing the cross-border merger of companies (Directive 
2005/56/EC) as well as to introduce a new type of company, namely the ‘So- 
cietas Europaea’ (SE) (Council Regulation No 2157/2001). These legal in- 
struments indirectly enable companies to transfer their corporate seat to another 
Member State without being wound-up. Whether a direct transfer of the com- 
pany seat for other company forms will be possible, depends on the outcome 
of the draft Fourteenth Company Law Directive and/or the judgment of the 
ECJ in the ‘Cartesio’-case (C-210/06). 


The evolution in the ECJ case law and in European company law har- 
monization seems to illustrate that the freedom of establishment is more and 


250 


more heading at the ‘home country control’-principle. Once a company is con- 
stituted in a legally valid way according to the State of incorporation, other 
Member States cannot deny its legal capacity or impose burdens on the free- 
dom of establishment, unless it would be justified on the basis of the ‘general 
good’ [6]. As a result of this, companies can now freely choose the legal sys- 
tem they consider being the most appropriate for their businesses, a situation 
that in consequence could trigger a competition between EU Member States for 
corporate charters, comparable to the so-called “Delaware effect” in US cor- 
porate law. (Enriques & Gelter, 2006). After the incorporation in accordance 
with the law of that chosen jurisdiction, they will be entitled to set up branches 
in other EU countries, operating mainly under the corporate statute of their 
home country. There is ample empirical evidence showing that entrepreneurs 
have indeed made use of the opportunities for forum shopping offered by the 
recent jurisprudential developments. Between 2003 and 2006 not less than over 
67,000 new private limited companies were established in the UK by residents 
of other EU Member States, without any operational activity in the UK (Becht, 
Mayer & Wagner, 2006). The operational activities are located in branches set 
up in other Member States. 


The increased dislocation of the legal structure and the actual centre of 
business of companies amplifies the necessity to elaborate legal instruments to 
make sure that corporate information is easily accessible to interested stake- 
holders of the company in the countries of operational activity of the compa- 
nies (notably creditors and public authorities). The following section examines 
to which extent the current European regulatory framework concerning dis- 
closure requirements imposed on private and public limited companies is 
adapted to that new business reality. 


3. Business transparency in the single market 


In order to facilitate the exercise of the freedom of establishment, the European 
Community has enacted eleven Company Law Directives. These were impor- 
tant in relation to limited liability companies that frequently extend their ac- 
tivities beyond their national borders. The harmonization realized by these 
Directives aims at reducing red tape by helping companies to operate through- 
out the EU on the basis of a single set of rules and a unified management and 
reporting system. In the light of this paper, only the harmonization relating to 
disclosure requirements will be analysed. 


3.1. Supply of company information to business registers 


In order to increase transparency and confidence in the governance of compa- 
nies, to protect investors, employees and the public against corporate cheat- 


251 





ing, fraud and mismanagement, both private and public companies are required 
to disclose a far-ranging set of corporate and financial information. 


As far as corporate data are concerned, Article 2 of the First Company 
Directive requires non-listed and public limited companies to disclose infor- 
mation covering every aspect of corporate life: ranging from its constitution 
(such as the instrument of constitution), through its corporate life (balance sheet 
and profit and loss accounts for each financial year) until its liquidation. All this 
information must be notified to the business register located in the territory in 
which the company is incorporated. 


In view of the national dimension of business register microstructures, the set- 
ting-up of most cross-border or out-of-state company structures (e. g. branch es- 
tablishment, creation of a subsidiary) will require filing in business registers in 
other Member States of data which often are already available in the home 
state of the company. For example, the establishment of a branch by a EU- 
company in another Member State goes along with extensive disclosure re- 
quirements pursuant to the 11" Company Law Directive in order to ensure the 
protection of persons who deal with companies through the intermediary of 
branches. A closer look at the latter Directive learns that the compulsory dis- 
closure covers documents not only relating to branch-specific data (such as the 
address and activities of the branch) but relating to general company related 
data as well. Hence, the disclosure requirements concerning company data 
(such as the duty to file information on the appointment, termination and iden- 
tity of persons who are authorized to represent the company, the winding up of 
the company, the appointment of liquidators, accounting documents and so on) 
duplicate with data already filed in the home state of the company. 


From the perspective of the company, the need to comply with these require- 
ments in various jurisdictions entails superfluous costs, taking into account as 
well the possible disparities in the disclosure obligations, and the need to have 
documents translated and certified. 


In the case of companies the shares of which are traded on a regulated 
market in the EU (‘listed companies’) the disclosure requirements flowing from 
European securities regulation, notably the Transparency Directive (Directive 
2004/109/EC), are far more extensive. The information to be disclosed pur- 
suant the Transparency Directive consists of annual and half-yearly financial 
reports, interim management statements (or, alternatively, quarterly financial 
reports required under national law), ongoing information (such as major share- 
holders notifications), the disclosure of inside information which is prescribed 
under Article 6 of the Market Abuse Directive 2003/6/EC and, if applicable, 
more severe disclosure requirements imposed by the issuer’s home Member 


252 


State. Together with its public disclosure, the information must also be notified 
to the competent authority and to the officially appointed mechanism (OAM) 
of the issuer’s home Member State, set up pursuant to Article 21 (2) Trans- 
parency Directive. (Huemer, 2005) 


In contrast to the disclosure of company data, however, the Transparency Di- 
rective opts for a system that avoids the unnecessary duplication of filing re- 
quirements. Fully in line with the ‘home country control’-principle, the 
notification of information must be made only to the competent authority and 
to the officially appointed mechanism of the home Member State. In order to 
determine the home Member State, a distinction between two situations should 
be made. In most cases the home Member state under the Transparency Di- 
rective will coincide with the country of incorporation. However, issuers of 
debt securities with a denomination per unit of more than EUR 1000 can 
choose their home Member State among the Member State in which they have 
their registered office and those where their securities are admitted to trading 
on a regulated market. 


The home state rule as regards the supply of information leads, in a cross-bor- 
der context, to a ‘one stop shop’ for the issuer: financial information must only 
be filed with the competent authority and the officially appointed mechanism 
of one Member State; conversely, the other Member State where securities of 
the issuer are listed (‘host states’) are prohibited from imposing more stringent 
disclosure requirements than those laid down in the Transparency Directive 
[7]. In addition to this, the European legislator recognises that any obligation 
for an issuer to translate information into all the relevant languages in all Mem- 
ber States where its securities are admitted to trading has deterrent effects on 
the cross-border admission of securities to trading on regulated markets. There- 
fore, the Transparency Directive stipulates that the issuer should in certain 
cases be entitled to disclose financial information drawn up in a language that 
is customary in the sphere of international finance. (Karmel, 2005) In fact, this 
leads to the use of English as the lingua franca in most cross-border securi- 
ties issues. 


Despite these improvements in comparison with the Company Law Di- 
rectives, the European legislator still maintains, within the home state, a sys- 
tem of multiple information supply channels: The Transparency Directive is 
based on a concept of intermediary-based dissemination, under which issuers 
must supply the information to the competent authorities at the same time they 
disclose financial information and make it available to the officially appointed 
mechanism. Moreover, the Transparency Directive does not affect the home 
Member State’s right to require from the issuer to publish, in addition, parts of 
or all regulated information through newspapers. Such a requirement looks in- 


253 


creasingly anachronistic in an era of broadly accessible internet-based techno- 
logies. 

For listed companies with establishments in different Member State, the 
combined requirements to disclose corporate and financial data may end up in 
a burdensome situation for the company and a fragmentation of information 
from the point of view of the investor. To illustrate this, we take the example 
of a public limited company with its registered office in the UK, having a 
branch office in Belgium and the shares of which are admitted to trading on 
Xetra (Frankfurt’s stock exchange). In view of the disclosure requirements de- 
scribed above, this company will have to file corporate information with busi- 
ness registers located in the UK and in Belgium, as well as to disclose financial 
information and to notify it to the competent authority and to the OAM of Ger- 
many. Moreover, Belgian law will require a certified translation of the company 
documents into French or Dutch; while German law may require the informa- 
tion to be made available in German or English and to publish notices in news- 
papers. This multiplication of often divergent requirements not only increases 
the risk of non-compliance, and ensuing liability risks for executives, but it 
also leads to fragmentation of the available information over several registers 
or databases in different countries. It is obvious that this is likely to affect, both 
for companies and investors, the potentialities for taking advantage of a single 
European marketplace. 


3.2. Retrieval of information by end-users 


In order to assess the degree of fragmentation of relevant information when 
companies use their freedom of establishment, we will hereafter distinguish 
between company information in the narrow sense, and financial information 
for listed companies. 


The disclosure requirements as regards corporate information result in 
the situation where, in principle, information about a company is filed in the 
business register of each Member State where the company deploys activities 
on a permanent basis. As each business register will contain basic information 
about the company’s head office on the one hand, and country-specific infor- 
mation about the local establishments on the other hand, no consolidated data 
are readily available about the functioning of the company on an EU wide 
basis. For instance, the business register of the country where the company’s 
head office is located, does not contain information on the existence branch 
offices located in other countries. This fragmentation threatens both the accu- 
racy of corporate information and its accessibility for interested stakeholders. 


As regards the accuracy of the information, there is always a risk that the in- 


254 


formation contained in a multitude of business registers, as a result of multi- 
ple filings is not fully consistent. Furthermore, as business registers do not 
work on a real-time basis, the multiplication of filings in different Member 
States is likely to generate time lags between business registers. The differ- 
ences as regards the delay for the update of data in different business registers 
may in some situations be harmful for various stakeholders. For instance, when 
the company has been dissolved on the home register but would still have a 
branch office registered in another Member State, the branch could continue to 
trade in the host state without an associated registered parent company. 


With respect to the accessibility of data contained in business registers, 
until a few years ago most business registers in Europe still existed as mere 
‘paper repositories’ of company data, providing in fact only very limited op- 
portunities for access to and dissemination of the company information. As a 
result of the 1999 recommendations of the SLIM working group on the sim- 
plification of the First and Second Company Law Directives, Article 3 of the 
First Company Law Directive was amended by Directive 2003/58/EC with a 
view to ensuring the electronic accessibility of the data filed in the company 
registers. These modifications will obviously result in both cost reduction for 
filing by companies, and in increased accessibility to data. The improved data 
accessibility is, however, limited: only the request for specific documents and 
the delivery thereof must be made available in electronic form. The Directive 
does not provide for an automatic open access to the register for searches by 
interested parties; neither does it create any interconnection between business 
registers enabling end-users to obtain data on a foreign company through their 
domestic business register. 


This situation generates substantial information asymmetries for the var- 
ious stakeholders, in particular when they are less familiar with the access to 
business registers located in other Member States, possibly also facing lan- 
guage barriers. Policy efforts to promote the interpenetration of national 
economies through the facilitation of the cross-border establishment of com- 
panies should therefore focus as well on the need to improve the access to in- 
formation both locally and in a cross-border context. The existence of today’s 
web based network technologies clearly contrasts in this respect with today’s 
legal provisions regarding business register organisation. (COM 2007). 

As far as financial information is concerned, the prospects in terms of re- 
trieval are, mainly for two reasons, significantly better compared to the access 
to corporate information. 

First, contrary to the Company Law Directives, the European Trans- 
parency Directive organizes the access to information about listed companies 
at an EU-wide level. In order to actively promote the integration of European 


255 


capital markets, the Transparency Directive obliges Member States to ensure 
that issuers disclose financial data in a manner ensuring a fast access to such 
information on a non-discriminatory basis. In this way all investors and other 
interested third parties, independently of the Member State where they are lo- 
cated, should be assured of equal treatment when seeking access to such in- 
formation. 


Second, the Transparency directive requires from Member States to set 
up a national ‘one-stop-shop’ system in relation to the retrieval of financial 
data through the appointment of one single ‘Officially Appointed Mechanism’ 
(OAM) at national level, to which issuers will have to notify the ‘regulated in- 
formation’ listed in the Transparency Directive. These OAMs will function as 
repositories of all financial information that has been filed by issuers and can 
be viewed as the official single access point to that information (CESR- 
06/292). Hence, this should enable end-users to take advantage of a single so- 
urce for the regulated information of all issuers for which the Member state 
qualifies as ‘home state’. More importantly, the Transparency Directive also 
obliges Member States to draw up appropriate guidelines with a view to fur- 
ther facilitating the public access to relevant information on issuers. The aim 
of those guidelines shall be to enable the interconnection of databases and re- 
gisters with a view to aggregate data about the issuers from different (public) 
sources. Notably, the Transparency Directive envisages the creation of (a) an 
electronic network at national level between national securities regulators, ope- 
rators of regulated markets and national company registers and (b) a single 
electronic network or a platform of electronic networks across Europe. If such 
a network or platform would be in place, the access to financial information 
beyond the substantive and geographical scope of a single OAM would be po- 
ssible. Such a network would create a one-stop-shop in relation to the retrie- 
val of financial as well as corporate information about issuers across Europe. 
(See also Recommendation 2007/657/EC in this respect) However, the achie- 
vement of this one-stop-shop would not imply any changes to the several-stop- 
shop relating to the supply of data, nor to the issues described above concerning 
the retrieval of corporate information. 


Taking into account the possibilities offered by network technologies 
and the example for listed companies, the question arises whether further re- 
gulatory action is not required in order to organise the company law related fi- 
ling obligations incumbent on companies in the perspective of the 
interconnection of business registers at European level. This issue will be di- 
scussed in the next section. 


256 


4. Avoiding multiplication of filing requirements in cross- 
border company transactions and improving access by 
end-users 


4.1. Reduction of burdens in relation to the filing of information 


The desire to facilitate the cross-border mobility of companies through a re- 
duction of regulatory burdens associated with the filing obligations concerning 
company data has been highlighted in different policy initiatives but this was 
until now not translated into concrete initiatives. Especially the SLIM (‘Sim- 
pler Legislation for the Internal Market’) Working Group on the simplification 
of the First and Second Company Law Directives is relevant in this respect. The 
Working Group acknowledged the importance of modernizing the business 
registers through enhanced electronic filing and access, in the prospect of in- 
terconnecting business registers with the aim of facilitating access to data 
across borders, and eventually to move to a “home country” principle as re- 
gards filing requirements incumbent on companies. In this regard, a parallel 
would be made with the “home country” principle as followed by the European 
Court of Justice case law concerning the freedom of establishment. As already 
mentioned, these recommendations resulted in the amendment of Article 3 of 
the First Company Directive with the effect that, as from 1 January 2007, busi- 
ness registers are obliged to convert documents filed by paper means into elec- 
tronic form. Although this amendment is clearly less far-reaching than the 
recommendations issued by the SLIM Working Group on the simplification of 
the First and Second Company Law Directives, it is a first step in facilitating 
the remote access to business register data. 


4.2. Reduction of burdens in relation to the retrieval of information 


Internet based technologies should allow for better dissemination of company 
information. Instead of physically going to the business register, wherever it 
may be located, end-users could connect to the internet in order to consult in- 
formation about a specified company. In this regard, the amendment of Article 
3 of the First Company Law Directive earns the credit for providing the avail- 
ability of electronic forms of company data filed in European business regis- 
ters. Although it does not provide for an automatic open access to the register 
for searches by interested parties, the reality shows that business registers are 
willing to make their databases available for open access through the internet. 

Furthermore, today’s information and communication technologies 
could also be used to interconnect business registers form different Member 
States. In this way, the accessibility of company data could further be simpli- 


257 


fied for interested third parties. An example of this is the interconnection of bu- 
siness registers realized through “European Business Registers” (EBR), a Eu- 
ropean Economic Interest Group composed of the (central) business registers, 
whether public bodies or private businesses, of most of the EU Member Sta- 
tes. EBR provides a single point of multilingual telematic access to a part of 
the information held in the registers participating in the network. By searching 
on a company name, the EBR-network will produce a company profile that 
contains the most important information available in any business register con- 
nected to the network. The advantage of such a kind of network is obvious. It 
puts end-users in the position to search company information on an EU-wide 
basis through a single access point. 


4.3. The interconnection of business registers and filing obligations: 
in search of a regulatory model 


Starting from the proposition that the availability of company information is es- 
sential for various interested parties (creditors, competitors, government), it is 
submitted by the SLIM Working Group on the simplification of the First and 
Second Company Law Directives that regulatory costs for the company can 
be reduced through the interconnection of business registers without threaten- 
ing the interests of other stakeholders. In theory, ICT could realize the elimi- 
nation of multiple filing of identical information in three ways. 


First, the duplication in filing requirements could be eliminated by the 
provision that only country-specific information must be filed in each national 
business register where a specific EU-company has a branch or agency. After 
all, current technologies make it possible to provide direct access across Europe 
to company information filed in the home state. Although such a system would 
be more cost-effective for the company itself compared with the current situ- 
ation, as it would avoid any duplication in publication obligations, it would 
still stick to a several-stop-delivery concept. Moreover, it would require a mo- 
dification of the Eleventh Company Law Directive on cross-border branching. 
Finally, this model would not fundamentally eliminate the fragmentation of 
company data across different business registers. 


The second model, the ‘home country principle’, would require each 
company to file its data exclusively in its home state, including the specific 
data relating to an out-of-state branch. Through the interconnection of regi- 
sters, all data would be accessible all over Europe. Under such a system, which 
is comparable with the aim of the Transparency Directive, all information re- 
lating to the Europe-wide activities of a company (including out-of-state bran- 
ches) would be centralised in the country of its registered office, and would be 
made available either directly, or through the interlinkage with the business re- 


258 


gisters of other Member States. This “home state” system would clearly bene- 
fit both companies (low cost of filing) and end-users (one-stop-shop in terms 
of accessibility), but it is inconsistent with the present legal framework, which 
is still based on the filing in the national company registers of all countries 
concerned of the transaction or the cross-border establishment. 


The third model adopts the principle that the home state data can be used 
for the purpose of complying with filing obligations in other member states 
where a company transaction is realized. Under this system, the interconnec- 
tion of business registers would not result in a fully-fledged home state rule, but 
would nevertheless reduce regulatory costs by limiting the additional filing re- 
quirements to the country-specific data. Apart from reducing costs for the com- 
pany, this system has the advantage of accessibility of all relevant data in each 
member state. It is also consistent with the present legal framework. 


Although the second model would be the most effective in terms of both 
filing costs and retrieval burdens, it would require a fundamental change in the 
present regulatory framework. In the present situation, the third model consti- 
tutes a second-best solution. Therefore, the following section will provide more 
details on a European research project (BRITE) that aims at the design of an 
architecture to implement the third approach, through the interconnection of 
and advanced interoperability of national business registers. 


5. The future is BRITE? 


BRITE (Business Register Interoperability Throughout Europe), is a three year 
(2006-2009) research project, under the European Commission’s 6" Frame- 
work Program that should build the foundations for complete cross-border in- 
teroperability between business registers at a European level. The main project 
objective is to develop, to implement and to demonstrate an advanced inter- 
operability model, an ICT service platform and a management instrument for 
business registers to interact across the EU. Thus, the platform would facilitate 
cross-border access to and exchange of official company information. This 
would in turn enable to initiate processes facilitating filing requirements asso- 
ciated with cross-border mobility and establishment of companies as well as the 
creation of value added services connected with business register data. 

The benefits of the implementation of such a BRITE platform are 
obvious. 

Regarding the filing of company data, company management may gre- 
atly benefit from the automation of the branch registration process. It would 
enable the host business register to remotely retrieve the documents required 
to process a branch registration, and potentially allow the parent company to 


259 


register a branch in another member state directly from its home register (a 
one-stop-shop in terms of delivery of corporate data). F ollowing the third ap- 
proach as explained in section 4.3, the system would neutralize most costs re- 
lated to duplications in disclosure requirements enforced by the Eleventh 
Company Law Directive. It also opens up perspectives in view of the forthco- 
ming Directive on the transfer of the registered office, the transfer of the seat 
of SE’s, cross-border mergers etc. 


As far as retrieval of company information is concerned, the BRITE 
platform has the potential to both improve the accuracy of the consulted data 
and the access to the data by interested parties. As mentioned before, third par- 
ties could suffer severely from any delay in updating information filed in host 
business registers. To take away the unremitting suspense about the accuracy 
of company information, BRITE is designing robust links between the register 
of the branch and that of the company. These would allow host registers, thro- 
ugh an alert or notification service, to be automatically notified of critical com- 
pany status changes and therefore receive an early warning, allowing them to 
take appropriate action. In its turn, companies deploying economic activities in 
other Member States than their home state could benefit from stakeholder’s 
reinforced trust in the accuracy of company information. Thus, creditors or in- 
vestors could take better informed decisions as they will be provided with 
easier access to company information, such as the location and number of re- 
gistered branches. More specifically, if a search on a company is being made, 
the platform will interrogate every business register connected to it and will re- 
trieve corporate data on a consolidated basis. 


If such a platform would be in place, it would be possible to revisit the 
SLIM proposals for the registration of branches, as the technological condi- 
tions would be in place for a further simplification of the regulatory frame- 
work (see also COM 2007). The SLIM Working Group indeed recommended 
that the Eleventh Company Law Directive should be altered to provide that 
the registration of a branch should take place on the register where the company 
is registered, and that no further registration should be necessary where the 
company establishes the branch. However, that proposal was not brought for- 
ward by the Commission because the technological infrastructure was not in 
place to support proper control and disclosure. 


6. Enabling other users to gain access to company data 


The availability of company information is, in today’s complex economies, 
not confined to allowing various ‘private’ stakeholders (creditors, sharehol- 
ders, etc.) to gain access to relevant data about the legal form, the company hi- 


260 


story and the operations of the company. Increasingly, public authorities show 
an interest in obtaining access to company data for the purpose of discharging 
their own public functions. The increased potential for (cross-border) mobility 
and restructuring of companies in the EU amplifies the need for adequate se- 
arch engines. Gaining easy access to and use of electronically stored company 
information may present obvious advantages in the context of e-Government 
as well, as it is likely to diminish the administrative burdens for companies in 
their relation with public authorities. For instance, the electronic access to com- 
pany data by a public authority in the context of requests for subsidies or of ten- 
der offers may lead to waiving the obligation for the applicants to provide this 
information in the first place. Finally, a platform created for the interconnec- 
tion of company registers could be used as a prototype for the access to and 
exchange of other data about companies in the context of specific disclosure 
obligations or of various forms of public supervision of economic activities. In 
the light of the scope of this paper, the latter will be illustrated through the use 
of interconnected business registers for the combat against money laundering. 


As far as the combat against money laundering is concerned, the incre- 
asing internationalization of capital flows and financial transactions concur- 
rently enlarges the opportunities for resources obtained from illicit financial 
activities to cross borders undetected and make their way into the real eco- 
nomy. Considering the fact that money launderers more often use legal per- 
sons (in an attempt) to conceal any connection between a criminal activity and 
the resources obtained from it, the data contained in business registers are in- 
valuable in the detection of legal and corporate structures used for the purpo- 
ses of money laundering and terrorist financing (Schott, 2006). An enhanced 
transparency of business registers may thus be considered as an effective tool 
for the main actors in the field of anti-money laundering. To shed more light 
on the possible impact of a platform interconnecting business registers in the 
field of anti-money laundering, a distinction between two categories of actors 
(financial intermediaries as well as financial intelligence units) will be made. 


Firstly, it is submitted that the stage in which cash derived from crimi- 
nal activities is going to be injected into the regular economy (i.e. the place- 
ment-stage) offers the best opportunity for detecting money laundering. To that 
end, the Third Anti Money Laundering Directive 2005/60/EC requires finan- 
cial institutions and other undertakings likely to receive the proceeds of crime 
to assist financial intelligence units (FIUs) in their fight against money laun- 
dering and terrorist financing. This entails for the financial institutions and 
other bodies the obligation to keep track of the persons with whom they enter 
into a business relationship, and to follow up on this information on a regular 
basis. These ‘customer due diligence’ obligations will in general include the 


261 





identification of companies, its shareholders (‘beneficial owners’), board struc- 
ture etc. It is obvious that a platform interconnecting business registers may be 
a useful tool to comply with these obligations. Due to the linkage between bu- 
siness registers, financial intermediaries would be in the position to access, 
through a single entry point, all the public corporate data about their clients 
available in all business registers throughout the European Union. This gathe- 
red information must be used to promptly inform their financial intelligence 
unit, on their own initiative, where they know, suspect or have reasonable gro- 
unds to suspect that money laundering or terrorist financing is being or has 
been committed or attempted. Considering the improved quality of the custo- 
mer due diligence that financial intermediaries could thus achieve, reports of 
suspicious transactions could be more accurate, which subsequently leads to 
better investigation and prosecution of money laundering. 


Secondly, financial intelligence units (FIUs) may benefit from such a 
platform by the increased access to consolidated corporate data. Beside the im- 
proved access to corporate data and the more accurate reports they could re- 
ceive, the BRITE platform could assist FIUs in their specific needs through 
the elaboration of ‘event notification services’. The purpose of these services 
is to enable FIUs to reduce the monitoring costs of suspicious persons or com- 
panies, through a system of automated tracking of these subjects in the busi- 
ness register data. For instance, a FIU could, through the BRITE platform, ask 
to be notified whenever person X appears as board member of a company in 
one of the business registers connected to the platform. In a more sophistica- 
ted approach, the notification service could be used for defining and notifying 
flows of events concerning business register data which can possibly point to 
a suspicious situation for the FIU (e.g. the fact that companies are set up and 
wound up whitin a very short period of time). Thus, a better access to and use 
of business register data could provide a valuable additional tool for public au- 
thorities in the discovery of connections or networks between persons and com- 
panies, which is vital in the money laundering process. 


7. Conclusions 


The organisation of the supply and dissemination of corporate information 
through business registers in Europe is a showcase about how nationally or- 
ganised information systems can be at odds with the objective to promote 
cross-border economic activity while at the same time preserving the need to 
adequately inform and protect the users of the registers. The legal environment 
for business registers should take account, however, of the changed techno- 
logical environment and the increased possibilities offered by networks. From 
a legal perspective, the interconnection of existing information systems into a 


262 


network offers the advantage of being consistent with the principle of sub- 
sidiarity: instead of centralising data into a European register, the intercon- 
nection of existing registers preserves the ‘national’ organisation of the register 
systems, while at the same time taking advantage of the universal access to the 
data, their exchange and their aggregation. While this approach prevails in the 
disclosure of (financial) information for listed companies in the European 
Union, with the possible creation of a European network of national ‘officially 
appointed mechanisms’, the company law disclosure system still lags behind 
the possibilities offered by ICT. 

The potential of the BRITE project illustrates how technology can act as 
a catalyst for lawmakers in reducing red tape for entrepreneurs, and at the same 
time increase the use of public information for various public and private ac- 
tors. More fundamentally, it also demonstrates that the law should adopt a more 
open attitude towards the possibilities offered by technology. While the regu- 
lation of business registers is essentially confined within a national, territorial 
organisation leading to multiplication of filing requirements for multinational 
business enterprises, the Transparency Directive radically opts for a ‘home 
country’-approach, thereby favouring the exploitation of network effects in a 
harmonious conjunction between law and technology. European policymak- 
ers should consider exploring the use of a similar approach not only in the field 
of business registers, but also in other domains of e-government. 


Notes 


[1] See for example the ninth recital of Directive 94/45/EC. 


[2] The direct applicability of the principle of freedom of establishment in the legal order 
of the EU Member States has been stressed and reiterated by the ECJ in several cases 
such as Case 2/74, Reyners [1974] ECR I-631 and Case 79/85, Segers [1986] ECR I- 
2375. 


[3] Particularly the First Company Law Directive (Directive 68/151/EEC) and the Eleventh 
Company Law Directive (Directive 89/666/EC) and more generally, the Second Com- 
pany Law Directive (Directive 77/91/EEC), the Third Company Law Directive (Di- 
rective 78/855/EEC), the Fourth Company Law Directive (Directive 78/660/EEC), the 
Sixth Company Law Directive (Directive 82/891/EEC), the Seventh Company Law 
Directive (Directive 83/349/EEC) and Directive 2005/56/EC. 


[4] The incorporation theory, which is followed by the United Kingdom, Ireland, the 
Netherlands and Denmark, basically connects a company to the jurisdiction of its place 
of incorporation. In contrast to this, the more continental theory of the ‘real seat’, ad- 
hered by Germany, France, Belgium, Spain, Luxemburg, Greece and Portugal, takes 
the actual centre of administration as connecting point to determine the governing law 
of a company. (Drury, 1999) While the former theory is more export-minded as it al- 
lows companies to be kept governed by the law of the country in which they are in- 
corporated, the latter theory is indeed more defensive by requiring companies to 
reincorporate in the country in which they actually deploy their main economic activ- 
ities. 


263 


[5] Case C-212/97, Centros lid v. Erhvervs-og Selskabssyrelsen [1999] ECR I-1459; Case 
C-208/00, Uberseering BV v. Nordic Construction Company Baumanagement GmbH 
(NCC) [2002] ECR I-9919; Case C-167/01, Kamer van Koophandel en Fabrieken voor 
Amsterdam v. Inspire Art Ltd [2003] ECR I-10155. 

[6] See for example Case C-19/92, Kraus [1993] I-1663 and Case C-55/94, Gebhard [1995] 

1-4165. 

[7] Although it must be noted that the ECJ no longer accepts more severe disclosure re- 

quirements than those laid down in the Eleventh Company Law Directive. 


References 


1. Becht, M., Mayer, C. & Wagner, H.F. (2006). Corporate Mobility and the Cost of 
Regulation. ECGI Law Working Paper N. 70/2006: available on www.ssrn.com. 


2. Communication from the Commission on a simplified business environment for 
companies in the areas of company law, accounting and auditing, COM (2007) 
394. 

3. Drury, R.R. (1999). Migrating Companies. European Law Review Volume 24, 
pp. 354-372. 

4. Enriques, L. & Gelter, M. (2006). Regulatory competition in European Company 
Law and creditor protection. European Business Organization Law Review Vol- 
ume 7, pp. 417-453. 

5. Hirt, H.C. (2004). Freedom of Establishment, International Company Law and 
the Comparison of European Company Law Systems after the ECJ’s Decision in 
Inspire Art Ltd. European Business Law Review Volume 15 (issue 5), pp. 1189- 
1122. 

6. Huemer, D. (2005). European Law on Capital Markets — Quo Vadis?. Cornell 
Law School Papers Series, available on http://Isr.nellco.org/cornell/Ips/clacp/5. 

7. Karmel, R.S. (2005). Reform of Public Company Disclosure in Europe. Brooklyn 
Law School Legal Studies Research Papers, available on www.ssrn.com. 

8. Omar, P.J. (2005). Centros, Uberseering and Beyond: A European recipe for cor- 
porate migration (part 2). International Company and Commercial Law Review 
Volume 16, pp. 18-27. 

9. Presidency Conclusions, Lisbon European Council, 23 and 24 March 2000, avail- 
able at http://www.europarl.europa.eu. 

10. Recommendations by the Company Law SLIM Working Group on the Simplifi- 
cation of the First and Second Company Law Directives, available on http://ec.eu- 
ropa.eu/internal_market. 

11. Schott, P.A. (2006). Reference Guide to Anti-Money Laundering and Combating 
the Financing of Terrorism. The World Bank, 296. 

12. Vaccaro, E. (2005). Transfer of Seat and Freedom of establishment in European 
Company Law. European Business Law Review, pp. 1348-1365. 

13. Wymeersch, E. (2003). The transfer of the Company 3 seat in European Company 
Law. Common Market Law Review Volume 40, pp. 661-695. 


264 


The Independent Regulatory Body: 
A New Regulatory Institution In Privatised 
Telecommunications Industry 
(The Case of Indonesia) 


Atip Latifulhayat 
Padjadjaran University Law School 
Bandung, Indonesia 
atiphayat@yahoo.co.id 


Abstract. Privatisation has led to re-organization of the govern- 
ment institutions involved in the telecommunications sector. More spe- 
cifically, it has moved the telecommunications structure from 
government-based supply to market based-supply. One of the important 
consequences of this is that the government’s involvement in the sector 
has focused more on its role as a policy maker. The government’s invo- 
lvement in detailed management of the telecommunications operation 
may create negative impacts in the competitive market. The establish- 
ment of an independent regulatory body has been essential in changing 
the regulatory mechanism from a political to a professional orientation. 


Key Words: Telecommunications, independent, privatisation, regulation, Indonesia. 
1. Introduction 


In the classic PTT (Post, Telegraph and Telephone) model of telecommunica- 
tions supply, state control was carried out through direct ownership in State- 
Owned Enterprises (SOEs). More specifically, a sector ministry typically 
performs policy, ownership, as well as regulatory functions (the tripartite 
role).[1] In the last two decades, however, the wisdom of relying on regulated 
public monopolies for the provision of telecommunications services was in- 
creasingly put into question. The first and arguably most important reason was 
that the performance of those operators proved disappointing. Various studies 
demonstrated that publicly owned companies, in general, tended to be less ef- 
ficient than private ones, and that telecommunications markets open to com- 
petition tended to perform much better than those which were not. [2] 

In addition, it quickly became clear that regulation, especially when 
exercised through public ownership by a sector ministry — suffered many draw- 
backs.[3] Regulators often lacked the technical skills required to effectively 
regulate the incumbent operators, short-term political considerations tended to 
distort the regulatory process, and regulatory capture by the managers of the 


265 


public monopoly was frequent. In those conditions, it was argued that reliance 
on competition, even in markets where competition was imperfect, might yield 
better outcomes than reliance on regulated monopolies. [4] One of the impor- 
tant consequences of this was that the role of the state was limited to policy 
maker, to prevent the state being involved in detailed management of tele- 
communications operation. As a result, regulatory bodies separated from go- 
vernment ministries and independent from operators were set up. This was to 
ensure that regulatory process run professionally and independent from any 
political orientations. 

This paper examines the role governments should play in the compe- 
titive system appearing after they lose their monopoly position. The paper fo- 
cuses on the importance of the establishment of an independent regulatory 
body, a new regulatory institution commonly created after the privatisation of 
telecommunications with specific reference to the Indonesian Telecommuni- 
cations Regulatory Body. 


2. The Establishment of an Independent Regulatory Body: 
An Overview 


2.1. Privatisation and Regulatory Reform 


One of the important issues from telecommunications privatisation in both the 
international and national level is that privatisation has made governments no 
longer the sole operator of telecommunications. It has created a multi-opera- 
tor system open for competition. This raises an important question: what role 
should governments play in such a competitive system once they have lost 
their monopoly position? On one hand governments should ensure the provi- 
sion of telecommunications as an essential public service even after this is no 
longer run by them. Governments normally retain a regulatory role to ensure 
that telecommunications services are supplied in a manner consistent with na- 
tional perceptions of the public interest. On the other hand, the introduction of 
competitors in many newly privatised markets also increases the need for new 
regulators to act as referees between the new entrants and incumbent operators. 
[5] 

This issue concerns re-defining the concept of state control in the tele- 
communications sector after privatisation. In a monopolized regime, direct go- 
vernment ownership was the preferred mode of state control in the sector. No 
need was perceived for a “regulator” per se in this environment. The same go- 
vernment officials were often involved in policy decisions, policy implemen- 
tation and operation of telecommunications. [6]Privatisation, though, has led 
to a re-organization of government institutions involved in the telecommuni- 


266 


cations sector. What has been needed is a legal institutional framework of a re- 
gulatory reform in which all new economic and institutional conditions are cle- 
arly set out.[7] In short, privatisation has moved the manner of state control 
from ownership to regulation. 

Regulation is a generic term that can be used by many disciplines in dif- 
ferent ways, or may even be applied in different ways within the same disci- 
pline itself. For example, regulation in economics refers to the way in which 
the government tries to control the market with a view to liberalising it. Re- 
gulation in law refers either to a piece of legislation or to the process of orga- 
nising some aspects of activities. [8] However, what is relevant to the subject 
of this thesis is the process of regulation in terms of deterring monopoly prac- 
tices as well as enhancing competition and its relation with the position and role 
of states in such a process. 

Philosophically, regulation generally refers to control or the imposition 
of certain restrictions upon behaviours, whether individual or institutional. In 
other words, regulation is a term or a process, which reflects the fact that fre- 
edom of behaviour is to be trimmed, directed or reformed. Consequently, re- 
gulation may (hypothetically) take one of two forms. First is self-regulation 
whereby individuals or organisation, self-control their behaviours and activi- 
ties. Secondly is pre-dominantal regulation, whereby states undertake the mat- 
ter of regulation as part of its sovereign responsibilities. [9] 

Daintith as cited by Graham and Prosser defines regulation as a term 
which is applicable within at least four senses. First, it is a device for control- 
ling, governing, or directing by any actor in accordance with certain rules, or 
system. Secondly, regulation is an activity of the state that alters the operation 
of the market. Thirdly, it is an instrument for the furtherance of state policy, tho- 
ugh regulation is not a policy in itself, but it may be used to support and acce- 
lerate the economic policy of the state. Finally, regulation refers to the legal 
order, which expresses the domain of the state over the society as a whole thro- 
ugh orders, which are characterised by their command nature. [10] 

The most important issue to note from the above definition of regulation 
is that the use of the regulative mechanism by the state to direct or control or 
even reform the economy reflects, in general, the nature of the state’s econo- 
mic responsibilities. The regulatory reform means that the state, regardless of 
the type of economy in place (market economy or central economy) continues 
under a duty to manage the economy. In other words, regulation can always be 
recognised as the arm of the state by which it expresses its right to intervene 
within the economy, either directly or indirectly. In the case of a central or 
planned economy, the state uses its regulation arm to protect the public mono- 
poly, whilst in the case of a free market system the state uses its regulatory po- 


267 


licy to protect the private operation of the market, and to enhance its competi- 
tiveness. [11] 

To this end, both concepts of the regulatory system and privatisation 
overlap. The interface at which the nature of each privatisation system and the 
regulatory reform meet is the change that occurs to the shape or nature of the 
state’s economic duty, rather than to the duty itself. Therefore the state has 
been the body, which is (historically) responsible for regulation, but the nature 
of such an obligation differs from one application to another. [12] 

Within the context of a private market, regulation aims to protect the 
free operation of the economy rather than the privileges of the public mono- 
polies. On the other hand, privatisation indicates a turn in the state’s economic 
responsibilities towards indirect intervention levels, rather than a complete wi- 
thdrawal from such responsibilities. Regulation policy here becomes a com- 
plement to privatisation policy, with the state not only protecting the free 
operation of the market, but also exercising its new economic duty over the 
new economy. [13] 


2.2. Reasons for the Establishment of An Independent Regulatory Body 


The era of privatisation is also “the era of regulation”. [14]This seems para- 
doxical since privatisation and the family of policies that were associated with 
it was supposed to lead to deregulation and the promotion of freer mar- 
kets[15].However, the marketisation in utilities such as telecommunications 
did not bring about the end of the state. As the sector shifted from being do- 
minated by monopolies to being more competitive, the state has been intensi- 
vely involved via supervision, monitoring and/or enforcement procedures — in 
short “regulation”. With a shift from a positive to a regulatory state, new re- 
gulatory regimes were put in place.[16] On this matter, Gilardi et al neatly 
state, ““...with the advance of privatisation, it became clear that freer markets 
often imply more rules, regulatory agencies and regulators”[17] 

The emergence of an independent regulatory body can be analysed from 
a theoretical, practical and legal perspectives. One theoretical model suggests 
that the establishment of such a body is based on the dynamics of regulatory 
competition between countries. This idea suggests that the major force behind 
the regulatory reforms is the state’s dependency on capital and its consequent 
need to appease capital by committing itself to providing an attractive market 
environment and a stable regime for investment. The more privatised the eco- 
nomy is, the greater its dependency on private capital and consequently the 
greater the need to create a stable institutional design that is technocratic (em- 
phasis added) rather than political in its orientation. [18]The central arguments 
for the introduction of the regulatory body are the — assumed — independence 


268 


from both political and private interests and the continuity in making decisions 
beyond political considerations. This would build up the expertise to decide 
on complex and technical matters and ensure decisions are based on a great 
deal of knowledge. [19] 

The establishment of an independent regulatory body may also have 
been encouraged by practical considerations. Privatisation has led to an incre- 
ase in competition, new regulatory priorities have emerged, and issues of re- 
gulatory autonomy, in particular, have also gained prominence. [21]For 
example, how could it be ensured that a public regulator was not biased in fa- 
vour of the historical operator, which sometimes stayed under public owner- 
ship? How could the regulatory process be protected from short-term political 
pressures? And how could the regulator be best protected from undue influence 
by new private operators? In sum, the need for a regulator as an independent 
referee becomes a necessity. 

Some developing countries with legal and political systems of conti- 
nental European origin often argue that the model of independent regulatory 
agencies for utilities is appropriate only for Anglo-Saxon countries. Yet coun- 
tries in continental Europe have also adopted this model. Kerf et al compared 
the telecommunications regulatory agencies in the UK, the US, France, Ger- 
many and Spain, and whilst they found divergence in some respects, they saw 
a striking convergence in the overall approach. They stated conclusively, “this 
approach might not be right for all developing countries, but it cannot be re- 
jected on the grounds that it works in Anglo-Saxon countries only”. [22] The 
author, therefore, argues that most countries established such a body mostly 
for practical purposes, not based on the similarities of legal and political sys- 
tems. This can be seen for instance from the report of International Telecom- 
munications Union (ITU) that by the middle of 2004, the number of 
telecommunications regulatory agencies around the world stood at 132, con- 
sistent with the general pace of growth that has continued for more than a de- 
cade as shown in figure 1. [23] 

Unlike developed countries, for most developing countries such as In- 
donesia, the establishment of an independent regulatory body especially in the 
telecommunications sector is also part of their commitment to the World Trade 
Organization (WTO). The Reference Paper[24] attached to the WTO’s Basic 
Telecommunications Service Agreement is one of the key justifications, glo- 
bally, for establishing a regulatory agency. Paragraph 5 of the Reference Paper 
stated as follows: 

The regulatory body is separate from, and not accountable to, any sup- 
plier of basic telecommunications services. The decisions of and the procedu- 
res used by regulators shall be impartial with respect to all market participants. 


269 


Even though this paragraph consist of only 34 words, these has led nu- 
merous countries including Indonesia to embark on the creation of new regu- 
latory agencies through various package of legislative reforms.[25] Indonesia 
for example amended the Telecommunications Act of 1989 in 1999[26], which 
among others stipulated the establishment of an independent regulatory 
body.[27] 

This Reference Paper stipulated that governments have to ensure both 
the separation of the regulatory authority from any supplier of basic telecom- 
munications services as well as the impartiality of this authority. This provision, 
however, did not mandate a specific format for the regulatory authority. The 
only criterion embodied in the Reference Paper was that the regulatory body 
should be separate from (emphasis added) and non-accountable to any supplier 
of basic telecommunications services. This phrasing intends to guarantee the 
independence of the telecommunications operator because in many countries 
the regulator and the service provider have both been made up from the same 
state-operated entity.[28] 


2.3. The Meaning of “Independence” 


One of the principal failures of past policy and regulation in telecommunica- 
tions can be summarized in the term “regulatory capture”. The regulator either 
lost, or never had, the independence to make professional decisions on their 
merits because of undue influence either from politicians, politically driven 
ministries, or the regulated monopolies.[29] In other words, the central issue 
in the regulatory reforms particularly where a government retains ownership in 
the telecommunications provider is the problem of independence of the regu- 
lator. However, the meaning of the term “independence” is problematic per se. 
Indeed, although it is widely accepted that independence is a necessary feature 
for an effective regulator, the concept proves difficult to define because of its 
multiple dimensions.[30] As a result, there are several definitions of indepen- 
dence. 

As mentioned above, the Reference Paper’s definition of independence 
is not carefully drafted. But the words, “...the regulatory body is separate from, 
and not accountable to, any supplier of basic telecommunications services” in- 
dicates that the regulator should be independent from any entity providing se- 
rvices (operators). One of the weaknesses of this definition is that it does not 
require the regulator be separate and distinct from government ministries or 
department. Thus, in terms of compliance with the Reference Paper, a go- 
vernment may choose to set up an independent, autonomous regulatory agency, 
or it may decide to retain the regulatory function as a unit of a ministry, de- 
partment, or other government office.[31] It becomes problematic for coun- 


270 


tries to establish an independent regulator when the operator is at the same 
time both the regulator and the policy maker. This is indeed the case in coun- 
tries that still maintain a public monopoly in telecommunications services 
under the auspices of the telecommunications ministry.[32] 

The law in the European Union goes much further. For instance, Article 
3 (2) of the Framework Directive stipulates that Member States that own or 
control a telecommunications operator must ensure effective structural sepa- 
ration of the regulatory function from activities associated with ownership or 
control.[33] In other words, it should be independent from operators or go- 
vernment ministries. In fact, problems with the independence of the regulatory 
authority could arise if the telecommunications operator is state-owned. On 
one hand, the regulator has to judge impartially the behaviour of the operator. 
On the other hand it can still conflict with the government as the owner of the 
operator, for example, when privatisation is taking place.[34] 

Melody argues that the term ‘independence’ does not imply indepen- 
dence from government policy, or usurping the power to make policy, but ra- 
ther independence to implement policy without undue interference from 
politicians or industry lobbyists.[35] The central issue in this definition is “fre- 
edom from interference” either from governments or operators of telecommu- 
nications. International Telecommunications Union (ITU) in the first regulatory 
colloquium in 1993 defines independence as a term that variously refers to the 
separation of regulatory and operational functions, neutrality, insulation from 
external pressure, or simply the designation of an official publicly identified as 
having the regulatory responsibility and not subservient to the rest of a mini- 
stry.[36] 

The most traditional way to delineate the separate roles of the ministry 
and the regulator is to let the ministry establish overall policy, while the regu- 
latory agency sets and enforces the rules that express and implement those po- 
licies. But reality is very rarely that neat. Indeed, merely creating a separate 
regulatory agency is not the same thing as establishing pure administrative au- 
tonomy, if such a thing can be said to exist at all.[37] Even in the United Sta- 
tes, which maintains one of the world’s oldest separate telecommunications 
agencies, the Federal Communications Commission (FCC) notes the following 
in its response to the 2001 IT annual regulatory survey: 

The chairman of the FCC traditionally resigns when there is a change in 
political party in the White House, so the President may nominate someone of 
his/her choice. However the rest of the commissioners remain and complete 
their terms.[38] 

This example illustrates a real tension between two governmental ob- 
jectives: (1) making sure economic regulation is based on sound technical and 


271 


economic criteria, not political expedience; and (2) the desire to maintain some 
dimension of control over politically sensitive issues.[39] In short, it may be 
said that the nature of this separation may be easy to express in the abstract, but 
much more tricky to achieve and maintain in practice, on a daily basis. 

Independence from operators, especially the incumbent operators, is 
relatively easy to achieve when they have been completely privatised. This 
permits the ministry responsible for telecommunications to establish its neu- 
trality immediately, because the government no longer has vested interests in 
any single operator. In most cases however, governments have chosen to re- 
main major shareholders in the incumbent.[40] These circumstances may open 
the door to favouritism, as the ministry officials and incumbent staff may have 
long-term ties that could lead to bias or any other unfair practices. 

As can be seen, there is no single definition agreed of the term “inde- 
pendence”. However, two distinctive aspects are evident; independence from 
a ministry (the government); and independence from operators (including state- 
owned enterprises). In other words, the concept of “independence” structurally 
requires a separation from government ministries and functional freedom from 
interference either from governments or operators. These elements represent a 
policy reversal to the direct government intervention over the telecommunica- 
tions sector which existed previously under the state monopoly regime. 


2.4. How to Achieve Independence? 


Independence from both governments and operators appear to be the central 
elements for an independent regulator. How might we achieve such indepen- 
dence? This is an important question needing further investigation. Melody 
observes that structuring the relation between governments and the independent 
regulator is more difficult than with operators, because the regulator remains 
a part of the government. Melody, therefore suggests that professional qualifi- 
cations, an independent budget, requirements for public accountability and the 
rigorous appointment of the members are some of the important mechanisms 
used to help ensure a desirable degree of independence of the regulator.[41] 

Professional qualifications would replace routine administrative acti- 
vities under the ministerial officials by professional management more capa- 
ble of operating in the dynamic environment in which it must function. It 
requires specialized expertise, as the regulator must apply the government’s 
comprehensive telecommunications policies to the industry as a whole, it must 
be fully aware of technological and market trends and resolve industry pro- 
blems in a progressive rather than an ad hoc manner.[42] More importantly, it 
would change the regulator’s orientation, from a political to a more professio- 
nal institution, which is believed can better ensure its independence. 


272 


It is also essential to provide adequate funding for the regulatory pro- 
cess to ensure the independence of a regulator. Most countries generally used 
two means of funding. First, independent regulators can be funded out of ge- 
neral government budget appropriations, particularly when the functions are 
carried out within the ministry of telecommunications (communication). Se- 
condly regulators can be funded by applying licence fees and spectrum fees 
paid by operators. This is an increasingly common means to fund the regula- 
tory function.[43] One of the advantages of this funding method is that licence 
fees provide a way of recovering the costs of government services on a “user 
pay” basis. Telecommunications sector license fees can generate a sufficiently 
large source of revenues to ensure the regulatory function is carried out in a 
professional manner, something that cannot always be assured by cash-strap- 
ped governments, especially in developing countries.[44] 

Something that goes hand-in-hand with independence is the accoun- 
tability. The regulator normally reports annually on the extent to which the in- 
dustry is achieving the policy objectives established by government, the results 
of the regulator’s monitoring of industry developments, and measures of the re- 
gulator’s own performance of regulatory activities. In addition, procedures for 
administrative due process, public justification of decisions, appeals to the co- 
urts and public access to information all help ensure the accountability of the 
independent regulator.[45] 

The procedures for appointing the chairman/director or other mem- 
bers of a regulatory body can also be used to help the degree of independence 
of this body. Usually, governments appoint these figures pursuant either to 
statutory, constitutional, or regulatory guidelines, which also spell out how the 
officials can be replaced, and for what cause. Many countries have instituted 
guaranteed terms of office for appointed regulators, based on the desire to pro- 
tect their regulators from political pressures and partisan power fluctuations. By 
establishing fixed terms for regulators, a country may eliminate the chance that 
regulators can be dismissed abruptly for political reasons, or that other go- 
vernment officials can influence regulatory decisions by threatening to do 
so.[46] 

Moreover, some countries set up their regulatory bodies headed by a 
single individual, often a director or director-general. The choice to name a 
single leader may reflect prevailing administrative practices, available finan- 
cial resources or even cultural traditions. An early example was OFTEL (Of- 
fice of Telecommunications), the UK regulator, which was established in 1984, 
when BT (British Telecom) was privatised. By contrast, many governments 
believe that dividing the power among several members or commissioners of 
a collegial body will provide a check to absolute power and contribute to the 


273 


overall independence of the body. [47]This model has gained in popularity 
since 1990, and is believed to be somewhat less susceptible to “capture” by 
government ministries or operators. ITU as cited by Invent (2000) reported 
that six of the nine new regulators established between July 1998 and August 
1999 were collegial bodies, composed of between five and eleven mem- 
bers.[48] 


2.5. Converged Regulatory Body 


The convergence of the broadcasting, telecommunications and information 
technology sectors is now leading governments to consider further institutio- 
nal changes to their regulatory regimes. In many nations, market players wi- 
thin the industry itself are advocating reorganization of regulatory bodies to 
reflect convergence. One option is to create a “converged” regulatory agency, 
which would oversee some or all ICT (Information and Communication Tech- 
nology) industries, and take advantage of economics of scale and scope. In the- 
ory, the boundaries between these industries are blurring and eventually may 
fade away entirely. Under this notion, maintaining separate agencies for each 
sector would only invite inefficiency, jurisdictional overlap and policy dispu- 
tes.[49] 

Some countries including developing countries such as Malaysia have 
already combined its telecommunications and broadcasting regulatory body. 
The key reason for this is that it is becoming increasingly difficult to decide 
what is telecommunications and what is broadcasting.[50] The process of co- 
nverging a regulator, however, does not mean just combining the staff of the 
previous entities. It also involves the creation of a legal framework underpin- 
ning the regulation of the sector. Questions arise as to whether all ICTs will be 
regulated alike, in a technologically neutral fashion. This creates some diffi- 
culties especially in the area of broadcasting, as this may involve a matter of 
cultural values that may be addressed more appropriately under broadcasting 
or content regulation. Convergence is not a singular event that can be promo- 
ted, timed or controlled by the creation of a converged regulatory agency. 
Where it can be detected at all, convergence is a matter of evolution, and go- 
vernments have the job of trying to determine whether their regulatory regimes 
are ahead or behind “the curve”, or in fact, whether their regulatory institu- 
tions need to be reformed to cope with convergence at all.[51] 


274 


3. Indonesian Telecommunications Regulatory Body: Evalu- 
ation and Recommendations 


3.1. The Establishment of BRTI 


The Indonesian Telecommunications Regulatory Body (Indonesian: Badan 
Regulasi Telekomunikasi Indonesia/BRTI) was established in 2003 through the 
issuance of the Decree of the Ministry of Transportation No. 31/2003. Three 
important factors were behind the establishment of the body. These were the 
enactment of the new Telecommunications Act of 1999, Indonesia’s commit- 
ment to the WTO and the second round of the divestment of PT. Indosat (an In- 
donesian State-Owned Telecommunications Enterpise). These factors led to 
the relaxation of the state monopoly and open competition in the telecommu- 
nications sector. In these circumstances, the government needed to ensure an 
equal treatment of market participants and fair competition in telecommuni- 
cations operations. The establishment of an independent regulatory body, the- 
refore, was essential. 

There were two different proposed models. First, was a regulatory 
body that was separate from government ministries or department? This pro- 
posal was mostly supported by the telecommunications NGO’s (non-govern- 
mental organizations) such as MASTEL (Indonesian: Masyarakat 
Telekomunikasi Indonesia). They argued that in a competitive market, the go- 
vernment should ensure that it was not involved in the day-to-day manage- 
ment of telecommunications operations. The government’s role, therefore, 
should be limited to policy maker, while an independent regulatory body car- 
ried out the regulatory function.[52] 

The second model was proposed by the government, and retained the 
regulatory function as a unit of a ministry or department. The government ar- 
gued that it was in compliance with the Telecommunications Act of 1999. The 
elucidation of the Act stipulated: 


...the regulatory function, supervision, and control 
may be delegated to a regulatory body due to the chan- 
ges and development of the situation.[53] 


In other words, the government contended that an independent regula- 
tory body did not necessarily have to be separated completely from the go- 
vernment ministry or department. Furthermore, the government insisted that 
the Reference Paper of the WTO to which the government had made a com- 
mitment, did not specifically require that the regulator be separate and distinct 
from government ministries or departments. More importantly, the government 


275 





argued that the Indonesian legal system granted the government mandate to 
carry out both the policy and regulatory functions including in the telecom- 
munications sector. Hence, it left to the government the decision to choose the 
appropriate model of the telecommunications regulatory body. [54] 

In the end, BRTI was established with mixed elements adopted from 
both the government and the telecommunications NGO’s proposed models.[55] 
BRTI consists of the Telecommunications Regulatory Committee (henceforth 
referred to as the Regulatory Committee) and the Directorate General of Post 
and Telecommunications (DGPT).[56] Hence, BRTI structurally is part of the 
government ministry,[57] because the DGPT functions as a policy maker on be- 
half of the government (see figure 2.). However, the BRTI is functionally se- 
parate from the government ministry, as the Regulatory Committee members 
are not public servants under the DGPT. This consists of minimum of five 
members and maximum of seven members.[58] Notwithstanding of this sepa- 
ration, the chairman of the Regulatory Committee is the Director General of 
Post and Telecommunications (ex-officio), who is also a public servant. These 
circumstances have potential to reduce the degree of independence of BRTI. 


3.2. Duties, Functions and Appointment of Members of BRTI 


Prior to the establishment of BRTI, the Ministry of Transportation[59] thro- 
ugh the DGPT was responsible for both policy and regulation of telecommu- 
nications operations. Following the establishment of BRTI, the Ministry 
emphasised its role as policy maker and transferred the regulatory function to 
this body (BRTI).[60] The BRTI covered three main areas: regulation, super- 
vision and control of both the telecommunications network and services ope- 
ration.[61] For the regulatory function, BRTI provides regulations on licensing, 
standard operation performance, standard quality of service, interconnection ta- 
riff and standard telecommunications tools and equipment.[62] Furthermore, 
BRTI supervises the operational performance, competition safeguards and the 
utilization of telecommunications equipment in telecommunications. In terms 
of controlling functions, BRTI carries the following areas: settlement of di- 
sputes between operators and the application of standard quality services.[63] 

In carrying out its duties and functions, BRTI is required to be inde- 
pendent from any interests such as political interests, and the decisions are 
made only for the purpose of public interests.[64] In doing so, the BRT] is re- 
quired to create a certain process as that facilitates both public participation 
and input from the telecommunications industry. In addition, BRT] is required 
to ensure transparency, independence and justice in its decision making pro- 
cess.[65] In this regard, BRTI has provided public hearings to facilitate tele- 
communications operators, customers and other interests group in the 


276 


telecommunications to contribute to the decision making process. This process 
is carried out by the Regulatory Committee members collegially. The main aim 
is to ensure transparency, impartiality and accountability of the regulator. 
Where no consensus is reached, Regulatory Committee members have equal 
right in a vote.[66] 

BRTI was established to ensure transparency, independence and fair- 
ness in the operation of telecommunications. It was designed to be an inde- 
pendent regulatory body and collegial in nature.[67] Currently, BRTI consists 
of seven members including the Director General of Post and Telecommuni- 
cations who automatically acts as the chairman of the body. [68] Except for a 
member representing the government[68], the other five members of BRTI are 
selected through an independent selection team. Candidates who are eligible to 
be appointed as members of BRTI should meet the following criteria:[69] 


An Indonesian citizen; 
No more than 65 years old at the time of appointment as member 
of BRT]; 

e Physically and mentally fit; 

e Experts or professionals in information technology, law, econo- 
mics, or public policy; 

e Donot have any relationship with operators and are not sharehol- 
ders in telecommunications companies; 
Do not hold any positions in telecommunications operators, 
Not members of a political party. 


To ensure that the selection process is independent from undue interfe- 
rence either from the government or telecommunications operators, and also to 
ensure that candidates meet the required criteria, particularly in terms of their 
professionalism, the selection team may provide a public consultation.[70] The 
elected candidates are formally appointed as members of BRTI through the 
ministerial decree for a three-year term, which can be extended one more term 
if necessary.[71] 


3.3. Evaluation and Recommendations 


The establishment of the BRTI appeared to be intended as an independent te- 
lecommunications regulatory body. However, some have observed that BRTI 
was afflicted by at least three weaknesses that may reduce its independence. 
[72] These were: a lack of legitimacy; it was part of a government ministry 
and therefore lacked independence; and its source of funding. Each of these is 
discussed below. 


277 


3.3.1. Lack of Legitimacy 


Regarding the importance of the legitimacy of an independent regulatory body, 
ITU (2002) stated as follows: “‘...the key to actually achieving and mainta- 
ining independence is legitimacy. It is the acceptance of the existence and the 
power of an entity by those who can affect it or are affected by it”.[73] BRTI 
was established by a ministerial decree not an Act. Most writers argue that the 
ministerial decree was not a strong legal instrument for establishing such a 
body, as the decree may at any time be revoked by reasons that it constituted 
the discretionary power of the minister. As a result, BRTI could be regarded as 
a mere ad hoc body. In short, the existing BRTI was assessed as having a lack 
of legitimacy.[74] 

The root of the problem was the ambiguity of the government concer- 
ning the existence of an independent regulatory body in telecommunications 
operation after privatisation and liberalization of the sector. As mentioned 
above, on one hand, the government realized that in a competitive market, the 
establishment of an independent regulatory body was essential. On the other 
hand, the government appeared to retain its traditional role as both the policy 
maker and regulator of telecommunications. These circumstances led the go- 
vernment to a dilemmatic position. To resolve such a conflicting interest, a 
“compromise” provision was created. The provision on the establishment of 
an independent regulatory body was put in the elucidation of the Telecommu- 
nications Act of 1999, not in the body of the Act. In other words, it constituted 
a supplementary, and not a primary provision. Under this provision, the esta- 
blishment of an independent regulatory body was effectively left to the di- 
scretion of the government ministry. Consequently, BRTI had legally been a 
“fragile” body, as the government ministry may at any time decide that the 
body should cease to exist. 

Looking at the experience of other countries such as the UK and Ma- 
laysia, the creation of their telecommunications regulatory bodies were based 
on a specific act. The Malaysian Communications and Multimedia Commis- 
sion (MCMC) in Malaysia was established following the enactment of Com- 
munications and Multimedia Act (CMA) 1998 and Malaysian Communications 
and Multimedia Commission Act (MCMCA) 1998 and OFCOM (Office of 
Communication) in the UK was created through the Communications Act 
2003. These regulatory bodies have a strong legal basis in both their existence 
and legitimacy, as their status as well as duties and functions were laid down 
in the Act. As well, such an Act is hierarchically higher than a ministerial de- 
cree, and politically more accountable as it has been approved by Parliament. 

To make BRTI a more legitimate body, it is recommended that a sup- 


278 


plementary provision on the creation of an independent regulatory body under 
the Telecommunications Act of 1999 be strengthened to become a primary pro- 
vision and put down in the body of the Act. To achieve this, an amendment to 
the Telecommunications Act of 1999 is necessary. There have been legal pre- 
cedents already in creating an independent regulatory body based on an Act. It 
can be seen for instance in the creation of the Indonesian Broadcasting Com- 
mission, which constituted a legal mandate from Act No.32/2002 on Broadca- 
sting, and the establishment of the Indonesian Commission for Unfair 
Competition, which was based on Act No.5/1999 on Anti-Monopoly and 
Unfair Competition. 


3.3.2. BRTI is Part of the Government Ministry 


One of the stinging critiques on BRTI has been that the body is part of the go- 
vernment ministry. The structure and working mechanism of BRTI, especially 
the position of the DGPT as an integral part of the body has been the main tar- 
get of the critique. Before establishing BRTI, the DGPT was structurally part 
of the government ministry, and was a regulator of telecommunications. Hence, 
the government decision to retain the DGPT as part of BRTI indicated that the 
body was not independent from the government ministry. It was exacerbated 
by the fact that the Director General of Posts and Telecommunications was au- 
tomatically the chairman of BRTI. In its operation, this has caused confusion 
as to when the Director General is acting in the capacity as the chairman of 
BRTI (a regulator) or is acting as part of the Ministry. [75] These circumstan- 
ces have the position very vulnerable to undue interference from the govern- 
ment, and of course it will decrease the degree of independence of BRTI. 

Furthermore, the BRTI’s decisions are in the form of a Ministerial or 
DGPT decree.[76] Most have observed that this is a clear indication that the go- 
vernment is very reluctant to transfer its regulatory function to an independent 
regulatory body. Under this mechanism, the Regulatory Committee members 
act as no more than an Advisory Committee or Expert Committee to the DGPT 
and the Ministry.[77] BRTI’s decisions seem to be merely recommendations of 
which the DGPT or the Ministry may change or even disregard them for va- 
rious reasons. In practice, therefore, BRTI does not have an authority to create 
any decisions. This is contrary to the purpose of the establishment of BRTI as 
an independent telecommunications regulatory body. 

Again, this reflects the government’s ambiguity concerning the existence 
of an independent regulatory body. Asmiati Rasyid insists that this is the main 
source that makes BRTI appear to be a weak regulatory body in both its legal 
basis and structure.[78] The appointment of the Director General of DGPT as 
the chairman of the Regulatory Committee confirms this opinion, as through 


279 


the DGPT’s position, the government can involve itself in the day-to-day ma- 
nagement of BRTI. Hence, the claim that BRTI is an independent regulatory 
body has little substance. 


3.3.3. Source of Funding 


The BRTI is funded from the Government Budget.[79] Most have argued that 
this has decreased the independence of BRTI.[80] International experience 
shows that there are two common ways of funding a regulatory body: by means 
of government budget appropriations and by using licence fees and spectrum 
fees paid by operators. The International Telecommunications Union (ITU) re- 
ported that most countries funded their telecommunications regulatory bodies 
by means of license and spectrum fees. The United States termed these regu- 
latory fees.]81] Only a few countries used 100% government budget appro- 
priations as the source of funding. These include France, South Korea, 
Switzerland and Mexico.[82] 

Looking at the ITU’s report, most countries seem to use non-govern- 
ment budget appropriations as an element of independence for their regulatory 
bodies. Surprisingly, however, the UK which is known as the pioneer in esta- 
blishing an independent regulatory body, provided 59% government budget 
appropriation to finance its telecommunications regulatory body (OFCOM) 
and the rest was funded by means of licence fees and contributions from ope- 
rator turnover.[83] The author argues that the use of government budgets as 
the primary source of funding risks decreasing the degree of independence of 
a regulatory body. However, for a country with reputable governance such as 
the UK, using a government budget may not necessarily decrease the inde- 
pendence of OFCOM. 

For Indonesia, financing BRTI mostly from the government budget ap- 
propriation risks its independence due to the fact that the country lacks good 
governance. In this context, Indonesia may learn from Malaysia, which pro- 
vide mixed funding from both the government budget and licence and spectrum 
fees.[84] However, according to the report from ITU (2005), the MCMC has 
now completely been funded by licence fees (35%) and spectrum fees 
(65%).[85] The author is of the opinion that the Malaysian Government’s pro- 
vision of budget for the MCMC was temporary in nature when this body was 
still in transition. 

Regarding the status of BRTI, the Indonesian Government states that 
this is a “regulatory body in transition”. The government, however, never men- 
tioned when this transition period will end. The author suggests that this trans- 
ition period should be terminated at the end of 2008, as a new 
Telecommunications Act most probably will be enacted in that year. Curren- 


280 


tly, the draft of a new Telecommunications Act is being prepared by the Mini- 
stry of Information and Communication. One of the important issues in this 
draft is to improve the status of BRTI to that of a “real” independent regulatory 
body.[86] 

To finance BRTI during the transition period by means of both the go- 
vernment budget and license and spectrum is acceptable. When the transition 
period end, BRTI should be funded completely from license and spectrum fees. 
One of the most important advantages from this method of funding is that the 
regulatory function in BRTI would be carried out in a professional manner, so- 
mething that cannot always be assured by cash-strapped governments, espe- 
cially in developing countries like Indonesia.[87] 


3.4. Is BRTI an Independent Regulatory Body? 


The term “independence” has many meanings and is subject to different crite- 
ria. There is no single definition agreed. The author has always argued that the 
term “independence” (of a regulatory body) means separate and distinct from 
the government ministry and independent from operators. An independent re- 
gulatory body is a product of privatisation and liberalization of telecommuni- 
cations, which essentially aimed at dismantling government monopolies over 
the sector. Hence, the term “independence” means moving the telecommuni- 
cations regulatory body away from undue interference from the government. 

Under this definition, BRTI may not be categorized as an independent 
regulatory body. It is debatable whether the government has been involved in 
the day-to-day management of BRTI. However, the fact that the DGPT was 
retained as an integral part of BRT] is a strong indication that the government 
wished to involve itself in the internal management of BRTI. The BRTI has 
thus been left vulnerable to undue interference in the regulatory making pro- 
cess. In the UK, the regulatory body has a link with the government (sector) mi- 
nistry. However, this does not mean that a public servant needed to act as the 
chairman of OFCOM, as happened in Indonesia. 

As noted earlier, Melody suggested four elements were required to 
achieve a desirable degree of independence of a regulatory body.[88] First was 
the professional qualification of the members. So far, the members of BRTI 
have come from different backgrounds and have had qualifications in tele- 
communications, information technology, economy, law and public policy. Se- 
condly, members of the regulatory body should be selected through an 
independent mechanism. As mentioned above, except for a member represen- 
ting the government, other members of the BRTI have been selected through 
a process that is relatively open and transparent. This selection was open to 
candidates who meet the required qualifications. Thirdly, funding should be 


281 





provided through an independent source. On this matter, BRTI may be less in- 
dependent due to the fact that this regulatory body is financed completely from 
government budget appropriation. Most have argued that this could have led 
BRTI to being susceptible to undue interference of the government and may de- 
crease its independence. 

Finally is accountability of the regulators. One of the most basic forms 
of accountability is to have transparency in decision-making process. This pro- 
cess must be clear and it must have proper legitimacy. The accountability of re- 
gulators normally takes the form of providing an annual report on the conduct 
of the regulator’s activities. In addition, it also provides public access to in- 
formation and appeals to the courts concerning regulations produced by the 
regulatory body. 

According to the Ministerial Decree No. KM.31/2003 on the establi- 
shment of BRTI, this regulatory body should provide three monthly reports to 
the Ministry or more if necessary.[89] Hence, it may be said that to a certain 
degree BRTI has provided a mechanism of accountability. Furthermore, BRTI 
has also provided mechanisms that enable public participation in the regulatory 
making process. For example, recently BRTI has invited the public to review 
a draft regulation on the tariff of mobile services.[90] However, there is no ju- 
dicial mechanism to review regulations created by BRTI, which may be, for in- 
stance, detrimental to customers. 

The foregoing discussion reveals that the BRTI does not have the cha- 
racteristics of ideal independent regulatory body. The position of the Director 
General of Posts and Telecommunications as the chairman of BRTI, the deci- 
sions that are in the form of the Ministry or the DGPT decree and funding so- 
urces mostly from the government’s budget, are three important drawbacks 
that indicate the BRTI is to a certain degree still a “dependent “ regulatory 
body. Nevertheless, an open process for the selection of the members of BRTI 
and the provision of public participation in the regulatory making process, are 
some promising elements for BRTI as an ideal independent regulatory body. 
More importantly, the government seems to have a political will to do so. On 
this matter, Basuki Yusuf Iskandar, the chairman of BRTI neatly stated: “...we 
are in the middle of changing thus we need to change”’.[91] 


3.5. The State as Policy Maker 


The establishment of BRTI has changed the Indonesian telecommunications 
structure from government-based supply to market-based. supply as applied in 
most developed market economies. This structure is outlined in table 1. 
Government officials can set policies in the national interest, without 
conflicting concerns based on their role as owners, managers or employees of 


282 


telecommunications operators. In particular, governments are inclined to in- 
troduce significant competition in telecommunications markets if they do not 
also run the main operator. Separate regulatory authorities can implement go- 
vernment policy in an objective and impartial manner. Separation from state- 
owned telecommunications operators increases the ability of regulators to act 
impartially toward all market participants, for example in matters involving 
competition policy or interconnection.[92] 

Privately owned operators can make rational economic decisions about 
the supply of telecommunications services, without conflicting coricerns arising 
from government ownership. Commercialization of state-owned operators can 
also increase immunity from government interference, relative to traditional 
PTTs. However, the degree of immunity depends on the degree of indepen- 
dence granted to the “commercialised” state operators.[93] 

In summary, the establishment of BRTI regardless of several drawbacks 
on this regulatory body has changed not only the Indonesian telecommiunica- 
tions structure but also granted the government a clearer role as policy maker. 


4. Concluding Remarks 


The government’s involvement in detailed management of the telecommuni- 
cations operations in which the government acts as both policy maker and re- 
gulator has led the sector operating inefficiently. The establishment of a 
regulatory body that is separate and distinct from the government ministry is 
essential for two reasons. First, it changes the regulatory approach from a po- 
litical to a professional orientation. Secondly, government involvement is li- 
mited and focus on policy development — the government as policy maker. For 
the Indonesian context, the establishment of BRT] has changed the meaning of 
state control from a direct into an indirect manner — from direct ownership to 
a policy orientation. 


Notes 


[1] Colin Scott (1996), “Institutional Competition arid Coordination in the Process of 
Telecommunications Liberalisation” iti Joseph McCahery (ed.) International Regu- 
latory Competition and Regulatory Coordination: Perspectives on Economic Regu- 
lation in Europe and the United States, Clarendon Press, Oxford, p 383. 

[2] See for example Ahmed Galal, Leroy Jones, Pankaj Tandon and IngoVogelsang 
(1994), Welfare Consequences of Selling Public Enterprises: An Empirical Analysis, 
Oxford University Press, Oxford, which examines in detail twelve specific cases of 
privatisation (including three cases in the telecommunications sector) in Chile, 
Malaysia, Mexico and the United Kingdom; see also Bjorn Wellenius and Peter A 
Stern, Eds. (1994), Implementing Reforms in the Telecommunications Sector: Lessons 
from Experience, The World Bank, Washington, D.C., which discusses the interna- 


t 


283 


tional experience of telecommunications sector reform, covering a wide range of is- 
sues and countries. 

[3] See David M. Newbery (2000), Privatisation, Restructuring, and Regulation of Net- 
work Utilities, MIT Press, Cambridge, p 134. 


[4] Damien Geradin and Michel Kerf (2003), Controlling Market Power in Telecommuni- 
cations: Antitrust vs. Sector Specific Regulation, Oxford University Press, Oxford, p 
7. 

[5] Hank Intven (2000), Telecommunications Regulation Handbook, Module 1, The World 
Bank, Washington, D.C., pp 1-5. 

[6] Id. 

[7] Id. 

[8] Emad Al-Shurman (2001), “The Transformation of a Public Monopoly into a Public 
Limited Company through the privatisation Process: A Critical Legal Study of the 
British and World-Wide Experience. The Case Study of Privatising Telecommunica- 
tions Industry”, unpublished PhD Thesis, University of Aberdeen, p 119. 


[9] Ibid. p 121. 
[10] Cosmo Graham and Tony Prosser (1991), Privatising Public Enterprises: Constitu- 


tion, the State, and Regulation in Comparative Perspective, Clarendon Press, Oxford, 
p 175. 


[11] Al-Shurman, supra note 8, p 123. 

[12] Ibid. p 124. 

[13] Id. 

[14] Fabrizio Gilardi, Jacint Jordana and David Levi-Faur (2006), “Regulation in the age 
of globalization: the diffusion of regulatory agencies across Europe and Latin Amer- 
ica” in Graeme Hodge (ed.), Privatisation and Market Development: Global Move- 
ments in Public Policy Ideas, Edward Elgar, UK, p 127. 

[15] Id. 

[16] Dominik Bollhoff (2002), “Developments in Regulatory Regimes: An Anglo-German 
Comparison on Telecommunications, Energy and Rail”, Max-Planck Institute, Bonn, 
ps. 

[17] Gilardi et al, supra note 14, p 127. 

[18] Ibid. p 128. 

[19] Bollhoff, supra note 16, p 8. 

[20] Michel Kerf, Manuel Schiffler, and Clemencia Torres (2001), “Telecom Regulator”, 
Public Policy for the Private Sector, No. 230, World Bank, Washington, D.C., p 1. 

[21] Id. 

[22] ITU (2005), Trends in Telecommunications Reform 2004/2005: Licensing in An Era 
of Convergence, Geneva, p 13. 


[23] It is part of the WTO Agreement that contains a set of regulatory principles on basic 
telecommunications. 


[24] ITU (2002), Trends in Telecommunications Reform 2002: Effective Regulation, Ge- 
neva, p 33. 


[25] The Telecommunications Act of 1999 has repealed the Telecommunications Act of 
1989. 


[26] See the elucidation of Article 4 (2) of the Telecommunications Act of 1999. 


284 


[27] Taunya L. McLarty (1998), “Liberalised Telecommunications Trade in the WTO: im- 
plications for Universal Service Policy”, Federal Communication Law Journal, Vol. 
51, No.1, p 53. 


[28] William H. Melody (1997), “On the meaning and importance of ‘independence’ in 
telecom reform”, Telecommunications Policy, Vol. 21, No. 3, p 195. 


[29] Audrey Baudrier (2001), “Independent Regulation and Telecommunications Perfor- 
mance in Developing Countries”, Research Paper, University of Paris Pantheon-Sor- 
bonne, Paris, p 4. 


[30] ITU (2002), supra note 24, p 36. 


[31] Boutheina Guermazi (2000), “Exploring the Reference Paper on Regulatory princi- 
ples”, CSRI , McGill University, p 13. 


[32] Framework Directive, 2002/21/EC, OJL 108. 


[33] Mathew Bobjoseph (2003), The WTO Agreements on Telecommunications, Peter 
Lang, Bern, p 188. 


[34] Melody, supra note 28, p 197. 


[35] ITU (1993), “The Changing role of Government in an era of telecom deregulation: Re- 
port of the colloquium held at ITU Headquarters 17-19 February”, Geneva. 


[36] ITU (2002), supra note 24, pp 36-37 

[37] Id. 

[38] Ibid. p 37 

[39] In OECD countries for example, only seven countries are listed as having a fully pri- 
vatised market. See ITU (2002), supra note 24, p 44. 

[40] Melody, supra note 28, pp 195-199. 

[41] Melody, supra note 28, p 198 

[42] Invent, supra note 5, p 7 

[43] Id. 

[44] Melody, supra note 28, p 198. 

[45] Id. 

[46] ITU (2002), supra note 24, p 42 

[47] Invent, supra note 5, p 8. 

[48] ITU (2002), supra note 24, pp 42-43. 

[49] For example, some telephone companies are moving very close to making video-on- 
demand a standard offering to the public. They see video-on-demand as simply a qu- 
estion of rolling out more bandwidth. 

[50] ITU (2002), supra note 24, p 43. 

[51] MASTEL (2001), “Laporan Pelaksanaan Tugas Kelompok Kerja Badan Regulasi In- 
dependen”, Jakarta, pp 5-6 

[52] See the elucidation Article 4 (2) of the Telecommunications Act of 1999 

[53] Hinca IP Pandjaitan (2000), Undang-Undang Telekomunikasi: Partisipasi Publik dan 
Pengaturan Setengah Hati, Internews Indonesia, Jakarta, p 84. 

[54] See Departemen Perhubungan (1999), “Tanggapan Pemerintah atas Pengantar 
Musyawarah Fraksi-Fraksi terhadap Rancangan Undang-Undang tentang Telekomu- 
nikasi”, Jakarta, p 3. See also Asmiati Rasyid (2004), “BRTI ‘Transisi’ Mempri- 
hatinkan”, Kompas, July 20, p 5. See also http//www.brti.or.id/index.php? 


285 


mod=site&site=about. Visited at 23 February 2006. 


[55] Article 1 (1) of the Decree of the Minister of Transportation No.31/2003. Since 2004 
this Ministry has been renamed by the Ministry of Communication and Information. 


[56] Ministry of Communication and Information 
[57] Ministry of Communication and Information 


[58] Since 2004 this Ministry has been renamed by the Ministry of Communication and 
Information. 


[59] Article 5 of the Decree of the Minister of Transportation No.KM.31/2003 
[60] Ibid. Article 6. 

[61] Id. 

[62] Id. 


[63] Articles 7 of the Decree of the Minister of Communication and Information No. 
25/P/M.Kominfo11/2005. 


[64] Article 15 of the Decree of the Minister of Transportation No. KM. 31/2003. Ko- 
esmarihati Sugondo (2004), “Indonesian Telecommunications Regulatory Body”, pre- 
sented at Sub-Regional Seminar on Trade and Telecommunications, 1-2 March, 
Jakarta, Indonesia, p 7. 


[65] Article 14 of the Decree of the Minister of Transportation No.KM. 31/2003. 
[66] Article 2 of the Decree of the Minister of Transportation No.31/2003. 
[67] Article 2 of the Decree of the Minister of Transportation No.31/2003. 


[68] One member of BRTI is the government representative who is appointed by the Mi- 
nister of Communication and Information. 


[69] Article 11 (d) of the Decree of the Minister of Communications and Information No. 
25/P/M.Kominfo/11/2005. 


[70] See Siaran Pers DGPT No.02/DJPT. 1/Kominfo/I/2006, 9 January 2006. 


[71] Article 12 of the Decree of the Ministry of Transportation No.KM. 31/2003. Articles 
10 and 11 of the Decree of the Ministry of Communication and Information No. 
25/P/M.Kominfo1 1/2005. 


[72] Koesmarihati Sugondo (2004), “Indonesian Telecommunications Regulatory Body 
(BRTI)”, presented at Sub-Regional Seminar on Trade and Telecommunications, 
Jakarta, Indonesia, p 8. 


[73] ITU (2002), supra note 24, p 36. 


[74] Hery Trianto (2005), “BRTI dua tahun di tengah kritik”, Kompas, December 1, p 5. 
Asmiati Rasyid (2004), “BRTI “Transisi” Memprihatinkan, Kompas, 20 July, p5 


[75] Atip Latipulhayat (2006), “Privatisation of Telecommunications in the Developing 
World: A Lesson Learnt, or A Burden Imposed?” in Proceedings of the Forty-Eight 
Colloquium on the Law of Outer Space, 17-21 October, Fukuoka, Japan, American In- 
stitute of Aeronautics and Astronautics, p 431.. 


[76] Article 8 of the Decree of the Minister of Transportation No.KM. 31/2003. 
[77] Kompas (2003), “Diragukan, Independensi dan Efektivitas dari KRT”, July 19, pp 4- 
5 


[78] Rasyid (2004), supra note 74, p 5 


[79] The Decree of the Minister of Transportation No. KM.67/2003. 
[80] Latipulhayat, supra note 75, p 431. 


286 


[81] ITU (2005), Trends in Telecommunications Reform 2004/2005: Licensing in An Era 
of Convergence, Geneva, pp 149-181. 


[82] Id. 

[83] Ibid, p 179. 

[84] Art. 38 of MCMCA 1998. 

[85] ITU (2005), supra note 81, p 167 

[86] An Interview with a member of the Drafting Committee, 30 June 2006. 
[87] Invent, supra note 5, p 7. 

[88] Melody, supra note 28, pp 195-199. 

[89] Article 9 of the Decree of the Minister of Transportation No. KM. 31/2003 
[90] Available at http://www.brti.or.id. Visited at 26 May 2007. 

[91] Available at http://www.brti.or.id. Visited at 28 July 2006. 

[92] Invent, supra note 5, p 5. 

[93] Ibid, p 6. 


287 





Tapping and Data Retention in Ultrafast 
Communication Networks 


Bart Custers 
Research fellow 
Tilburg Institute for Law, Technology and Society 
Tilburg University, 5000 LE Tilburg, Netherlands 


Senior Consultant 
Capgemini Consulting Services, 3500 GN Utrecht, Netherlands 
B.H.M.Custers@uvt.nl 


Abstract. In their fight against crime and terrorism, many gov- 
ernments are gathering communication data in order to gain insight into 
methods and activities of suspects and potential suspects. Tapping, or 
wiretapping, has been used for a long time and nowadays most countries 
are extending this to data retention, i.e., large-scale storage of various 
kinds of data available on communications. At the same time, however, 
efforts are being made in the field of technology to develop a new gen- 
eration of communication networks, based on ultrafast optical and wire- 
less communication. This is likely to result in a significant increase in the 
speed and volume of information transfer on communication networks 
such as the Internet. These increasing amounts of information require 
increasing storage and analysis capacity, for which automated solutions 
are being developed. In this contribution, the way in which these tech- 
nological developments influence the possibilities of tapping and data re- 
tention is discussed and some suggestions are made on how to deal with 
this. 


Keywords: tapping, wiretapping, data retention, security, optical networks, wireless 
networks, data mining 


1. Introduction 


Government organizations, particularly those engaged in fighting crime and 
terrorism, have a particular need for personal information. Personal data may 
help to find out who a person is, whether he poses a risk to society and with 
what people he is in contact. Such information may play an important role in 
preventing crime and terrorism, as well as in solving or reconstructing in ret- 
rospect any such cases that have taken place. 

In recent years, crime and terrorism have become more organized. As a 
result, it is no longer sufficient to investigate and profile individual suspects. 
There is now also a need to reveal the networks of people where these suspects 


289 


operate. Gaining insight in who is communicating with whom may bring other 
suspects into scope, particularly first offenders, who were hitherto unknown 
to the authorities. In a way, finding out who knows who has become easier in 
the information age, as communication increasingly takes place via such in- 
formation and communication networks as phones and the Internet. Tapping 
these communication lines is technologically straightforward. Telephone tap- 
ping is almost as old as the telephone itself. Apart from the term telephone tap- 
ping, the term wiretapping is often used to include tapping Internet 
communication. Nowadays, the term tapping is becoming more common, since 
this also includes various types of wireless communication networks. In this 
contribution, the common term tapping is used to indicate the tapping of all 
forms of electronic and/or digital communication. Communication without any 
tools such as phones or Internet can also be overheard and or recorded, but is 
beyond the scope of this contribution. 

Data retention is a more recent form of investigating who knows who. 
Because of the ever-growing storage capacity of information systems, it has be- 
come technologically possible to store al? communication that takes place over 
these networks. It is important to note that this is not currently happening, but 
it can be done. Nevertheless, the secret services in the United States are build- 
ing large databases with communication data. Echelon is a global electronics 
communications surveillance system that gathers and processes vast amounts 
of communication data (Hagar, 1997, Madsen, 1998). Furthermore, in 2002, 
the US Department of Defense was planning a project known as Total Infor- 
mation Awareness (TIA). This project envisioned the creation of a gigantic 
government database of personal information, including communication data, 
to be analyzed under various models to detect patterns and profiles for terror- 
ist activities (Markoff, 2002). When a major news story about TIA broke, civil 
liberties groups, commentators and politicians voiced criticism. In 2003 the 
program was renamed Terrorism Information Awareness and it was stated that 
privacy would be protected, though without specifying how. However, that 
same year, the US Senate stopped funding TIA (see also Solove, 2004). 

In March 2006, the European Union adopted a directive that requires 
telecom operators and Internet providers in all member states to implement 
data retention systems for both telephone and Internet traffic. It is significant 
to note that this EU Directive does not require or allow the retention of the 
contents of any communication. This contrasts to tapping, which focuses on the 
content of any form of communication. Data retention focuses on the storage 
of call detail records of telephony and Internet traffic and transaction data. Ba- 
sically this concerns phone calls made and received, emails sent and received 
and web sites visited. These data provide an idea of who is in contact with 


290 


whom, when, and how frequently. When possible, further identifying infor- 
mation may be added, as well as location data. 

With the rise of new technologies and the ever-increasing volumes of 
information being transferred, new security issues arise regarding tapping and 
data retention. In the past decades there has been a significant increase in com- 
munication between people. At the same time there has been a significant in- 
crease in data storage and analysis relating to this communication. This raises 
the question of how these technological developments influence the potential 
of tapping and data retention. 

This contribution will provide a brief overview of current use of tapping 
and data retention that will provide an answer to the question above and make 
some suggestions on how to deal with these new developments. In Section 2, 
the technological developments regarding ultrafast communication networks 
will be discussed briefly. In Sections 3 and 4, tapping and data retention will 
be discussed, respectively. How tapping and data retention works in ultrafast 
communication networks and what effects this may have will be explained in 
more detail in these sections. In Section 5 (European) privacy legislation will 
be discussed briefly. In Section 6 conclusions will be drawn and some sug- 
gestions will be made on how to deal with these effects. The focus will be on 
EU and US developments. 


2. Ultrafast Communication Networks 


Technological change is exponential. According to Moore’s Law, the number 
of transistors on an integrated circuit (a ‘chip’ or ‘microchip’) for minimum 
component cost doubles every 24 months (Schaller, 1997). This, more or less, 
implies that storage capacity doubles every two years or that data storage costs 
are reduced by fifty per cent every two years. Gordon Moore’s empirical ob- 
servation was made in 1965; by now, this doubling speed is approximately 18 
months. Moore’s Law deals with storage capacities, but similar observations 
have been made for communication speed and volume. According to Gilder’s 
Law, the total bandwidth availability of US communication systems has tripled 
every twelve months since the 1980s and will expand at the same rate for the 
next 30 years to come (Raessens, 2001). 

Moore’s Law is not only about making existing technologies more effi- 
cient. It also takes into account the new ideas and inventions in the field of in- 
formation technology. The latest developments to increase the speed and 
volume of transferring information on communication networks are focused on 
changing from electronic communication to optical communication. This is 
likely to result in a significant increase in the speed and volume of information 
transfer on communication networks. This new type of communication is re- 


291 


ferred to as ultrafast communication (Miller, 2004). In order to achieve all-op- 
tical networks, efforts are being made to develop and introduce optical com- 
munication hubs. Many optical fibers are already used for communicating 
optical signals over longer distances, but there are currently no optical alter- 
natives for many electronic building blocks, such as flips flops, gates, buffers, 
memories, shift registers, and transistors. 

Optical communication is not the only method for ultrafast communi- 
cation. Wireless communication, using electromagnetic waves, is also consid- 
erably faster than electronic communication systems. The speed of wireless 
networks is often slowed down because wireless networks may involve elec- 
tronic transmission at both ends of a data transmission. The development of all- 
optical building blocks will overcome the limitations for ultrafast 
communication systems. 


3. Tapping 


Wiretapping, or tapping for short, focuses on the contents of communication. 
The information communicated between persons may be very useful in crim- 
inal investigations. Obviously tapping is considered a serious infringement of 
some basic human rights, such as privacy and freedom of expression. Most 
legal systems explicitly mention privacy of letters and privacy of phone calls 
[1], as there are many different types of privacy. Those most commonly dis- 
tinguished are spatial, relational and communicational privacy, all of which 
have physical and informational aspects (Blok, 2002). 

Since tapping violates basic human rights, it is generally not allowed, but 
there are exceptions. In Western countries, such exceptions are strictly con- 
trolled and often concern (serious) suspicions of crime or terrorism or both. 
The police are often the executing authority. In most countries, tapping needs 
to be authorized by a court. Permission to tap is only provided under strict con- 
ditions (Koops, 1999). The crimes have to be severe; tapping is not allowed for 
minor offenses. Usually this means that the case must involve an offense pun- 
ishable with, for instance, at least four years of imprisonment. Another condi- 
tion is that there is a reasonable expectation that the suspect will participate in 
the conversation. Not only suspects’ phones can be tapped, but also, for in- 
stance, relatives’ phones. When the communication involves people with pro- 
fessional rights of non-disclosure, such as lawyers and doctors, monitoring the 
conversation is not allowed. Tapping is only allowed for public networks; pri- 
vate networks are beyond scrutiny. 

The rapid developments in communication infrastructure are posing 
major challenges to the technical feasibility of tapping. Tapping regular (elec- 


292 


tronic) communication systems usually works by clicking a tapping device on 
the wire and copying (or interfering with) the signal. From a technological per- 
spective optical tapping is quite different. The socket of the cable has to be re- 
moved to get to the fiber. When bending the cable, part of the optical data 
stream will no longer follow the path of the fiber but will go straight ahead 
[2]. This sub-stream can be read when using the proper devices. When a lot of 
light is being tapped, this may cause the quality of the signal at the receiving 
end of cable to decrease. This could indicate to users that a cable is being 
tapped. 

Obviously this way of tapping signals is rather complicated, even when 
cryptography is not used to encrypt the information. Since most communica- 
tion is at least partially wireless (usually the parts of the communication clos- 
est to the end users), it is much easier to tap wireless information. The 
advantage of tapping wireless communication is that the signal is transmitted 
in all directions and can therefore be easily intercepted. The major disadvan- 
tage of tapping wireless signals is that it requires being physically present at the 
place where the signal is being transmitted wireless. Generally speaking, the 
wireless part of a communication covers only a very small distance compared 
to the complete distance over which the communication takes place. For in- 
stance, a phone call between Europe and the United States is transmitted via 
long-distance wires on the bottom of in the ocean (covering thousands of kilo- 
meters) and only via short wireless distances close to the users (covering a few 
kilometers). Furthermore, ensuring that the largest part of the communication 
takes place via optical transmission has the advantage of higher quality and 
less use of energy [3]. Since wireless signals constitute the weakest link when 
it comes to tapping, it is likely that this is where actual tapping will take place. 

Users may protect themselves from content tapping by using encryp- 
tion. This is why governments seem to prefer encryption methods with trap- 
doors, i.e., possibilities that allow a person with additional information to tap 
encrypted data flows (Van der Lubbe, 1997, Schneier, 2000, Abelson et al., 
1998, Akdeniz, 1998). Government institutions may then use such additional 
information for criminal investigations. Companies like Microsoft, Netscape, 
and Lotus have implemented trapdoors in their software (Leprovost, 1999). 


4. Data Retention 


In March of 2006, the European Union adopted Directive 2006/24/EC on the 
retention of data generated or processed in connection with the provision of 
publicly available electronic communications services or of public communi- 
cations networks. This European Directive requires all EU member-states to 


293 


implement national legislation to ensure that communications providers retain 
particular data, for a period of between six months and two years. The providers 
are mainly Internet Service Providers (ISPs) and telecommunication compa- 
nies. As indicated above, in contrast with tapping, data retention does not focus 
on the contents of the communication, but rather on the storage of call detail 
records of telephony and Internet traffic and transaction data. 

Obviously these data are stored with a purpose. According to Article 1 
of the Directive, the aim is to use the data for “investigation, detection and 
prosecution of serious crime”. Considering that a lot of communication takes 
place, data retention involves building vast databases. The costs for this are 
for the ISPs and telecom operators, who are subjected to fines if they fail to 
comply. In the light of the developments regarding ultrafast communication 
systems, it is expected that the volumes of communication will significantly in- 
crease. Hence, the capacity needed for storage and analysis of the data will in- 
crease accordingly. 

This will result in an overload of information. Therefore, the ability to 
distill useful information from these large amounts of data is becoming more 
and more important. Technologies are being developed for this and one of the 
most promising is data mining, which provides an automated analysis of data 
in order to find patterns and relations (Adriaans and Van Zantinge, 1996, 
Fayyad et al., 1996). Such an automated analysis may result in revealing net- 
works around particular people and it may result in risk profiles of both indi- 
viduals and groups (Custers, 2004). 

The use of such risk profiles may have some typical advantages and dis- 
advantages. The main advantages concern efficacy and (cost) efficiency, as it 
may be easier to find the individuals or target groups that are being looked for. 
A particular advantage is the possibility of finding so-called first offenders. 
This works as follows: if the characteristics of a particular individual in the 
database are very similar to the characteristics of some known individuals, it 
is assumed that such a person poses an increased risk. Obviously this does not 
mean the person actually is a terrorist or is planning a terrorist attack. However, 
there are also some disadvantages of using such risk profiles. One of the main 
problems is that the profiles may not always be accurate (Custers, 2003). There 
may be false-positives (i.e., innocent people who also fit the profile) and false- 
negatives (i.¢., terrorists and criminals that do not fit within the profile and are 
hence out of scope). The false-positives may result in arrests of innocent per- 
sons; the false-negatives may result in missing the persons who need to be 
identified. When particular criteria, such as ethnic origin and religion, are used 
to create a profile, this may result in unjustified discrimination [4]. If such pro- 
files become known publicly, this may also result in stigmatization of particu- 
lar groups (Harvey, 1990). 


294 


People who want to be protected against data retention have several op- 
tions to avoid leaving traces of their communication or to ensure that traces 
lead to other persons. These methods cause decreased reliability of the data re- 
tained. Basically identifying persons communicating via a network means es- 
tablishing a link between the user and the network. Furthermore the user needs 
to be identified, often by traditional methods, using identity documents, face 
recognition, passwords, keys, etc. The methods of identification are easily tam- 
pered with, rendering the user anonymous. Tampering with the link between 
the network and the user is a typical form of identity fraud and is often straight- 
forward. The Internet can be used anonymously by walking into an Internet 
café somewhere in the world. When registration is required, it is usually easy 
to provide a fake name. People who want to disseminate computer viruses often 
use this method in order to be untraceable. 

The user access point to a network is usually indicated by an address. For 
cell phones, this is on the SIM card (Subscriber Identity Module), a removable 
smartcard for cell phones. On the Internet, IP addresses (Internet Protocol ad- 
dresses) are used, which are numbers that locate someone’s computer on the In- 
ternet. Some IP addresses are static, i.e., they do not change every time a user 
logs on to the Internet. If a user has a dial-up connection to the Internet or is 
using a computer that is connected to the Internet intermittently, it is most likely 
picking up a dynamic IP address from a pool of possible IP addresses at the In- 
ternet service provider’s network during each login. Obviously,.dynamic IP 
addresses may be used to tamper with the link between the network and the 
user, since this is no longer a uniquely identifying link. It might be easy to re- 
trieve the IP number used at a particular point in time, but it could prove diffi- 
cult to build a dossier on a particular IP number when there are different users. 
At one moment the IP number could be used by a terrorist suspect, at another 
moment, it could be used by someone else who has nothing to do with this sus- 
pect. There are many technological applications that can be used for accessing 
and using the Internet anonymously. Using telecommunication networks 
anonymously is simple as well. For instance, anonymous phone calls can be 
made by buying a prepaid cell phone in a supermarket. The phone can be 
thrown away afterwards. At the moment, this may not be really cheap, but 
prices are decreasing. 


5. Legal Protection of Privacy 


When confronted with the developments described in the previous sections, 
many people ask whether there is any legal protection of privacy that may pre- 
vent effects of tapping and data retention. In this section I will indicate that 
there are cases where these (mainly European) privacy laws fall short. The 


295 


main reason for this is that tapping and data retention legislation usually over- 
rules privacy legislation. Privacy is often regarded as a hindrance in fighting 
crime and terrorism, although views on this are changing. Analyzing all avail- 
able data is not always as effective as a targeted (and more privacy-preserving) 
approach. 


However, even when privacy legislation is not overruled by tapping and 
data retention legislation, there are some difficulties with the legal protection 
of privacy. A brief explanation of how (European) privacy legislation works is 
required. In Europe, the collection and use of personal data is protected by a 
European Directive (the so-called ‘privacy directive’), which has been imple- 
mented in national law in the member countries of the European Union [5]. 
Privacy principles that are safeguarded in the European privacy directive cor- 
respond to the principles in the Organization for Economic Co-operation and 
Development (OECD) guidelines, [6] which were also included in the Coun- 
cil of Europe Treaty of Strasbourg [7]. (For a more detailed account, see By- 
grave, 2002.) 


These principles are: 

e the collection limitation principle, stating that “[t]here should be 
limits to the collection of personal data and any such data should be 
obtained by lawful and fair means and, where appropriate, with the 
knowledge or consent of the data subject”; 

e the data quality principle, stating that “[p]ersonal data should be rel- 
evant to the purposes for which they are to be used, and, to the ex- 
tent necessary for those purposes, should be accurate, complete and 
kept up to date”; 

è the purpose specification principle, stating that “[t]he purposes for 
which personal data are collected should be specified and that the 
data may only be used for these purposes”; 

e the use limitation principle, stating that “[p]ersonal data should not 
be disclosed, made available or otherwise used for purposes other 
than those specified, except a) with the consent of the data subject; 
or b) by the authority of law”; 

e the security safeguards principle, stating that reasonable precautions 
should be taken against risks of loss, unauthorized access, destruc- 
tion, etc., of personal data; 

e the openness principle, stating that the subject should be able to 
know about the existence and nature of personal data, its purpose 
and the identity of the data controller; 

e the individual participation principle, stating, among others, that the 


296 


data subject should have the right to have his personal data erased, 
rectified, completed or amended; 

e the accountability principle, stating that the data controller should be 
accountable for complying with measures supporting the above prin- 
ciples. 


These privacy principles for fair information practices are based on the 
concept of personal data, which is described in article 2 sub a of the European 
privacy directive as ‘data concerning an identified or identifiable natural per- 
son’, a definition that also stems from the OECD guidelines. Personal risk pro- 
files contain personal data and are therefore protected by the (national 
implementation of the) directive, but group risk profiles do not necessarily con- 
tain personal data and may therefore lack this protection. Particularly in the 
case of data retention, the use of group risk profiles is useful to avoid privacy 
legislation. A group profile is a property or a collection of properties of a par- 
ticular group of people. Group risk profiles may contain information that is al- 
ready known, for instance people who smoke live on average a few years less 
than people who do not smoke. But group risk profiles may also show new 
facts, such as, for instance, people living in zip code area 8391 are (signifi- 
cantly) more often terrorists. Group profiles do not necessarily describe a 
causal relation. For instance, people driving a red car may show (significantly) 
more criminal behavior than people driving a blue car. As was already indicated 
in the previous section, group profiles, though useful, may result in stigmati- 
zation and errors. For a more detailed discussion, see Custers, 2004. 


6. Conclusions 


Currently, there is a lot of information on communication being collected and 
processed to support the fight against crime and terrorism. As a result of new 
technological developments, such as the development of ultrafast communi- 
cation networks, it is expected that the amount of communication data will 
continue to increase. This new generation of networks is likely to be a combi- 
nation of optical and wireless devices. The former are relatively hard to tap; the 
latter are relatively easy to tap. Tapping should only be possible if the pre- 
scribed conditions allow it. It is therefore particularly recommended that cryp- 
tography is used to prevent unauthorized tapping for the wireless parts of 
ultrafast communication. This cryptography should not be too strong to be de- 
ciphered in cases in which tapping is allowed. The use of trapdoors and tech- 
nologies such as key recovery systems, key escrow systems and trusted 
third-party encryption may be useful to achieve this. 

Whereas tapping concerns the contents of the communication, data re- 


297 


tention focuses on storing and analyzing communication data, particularly call 
detail records regarding phone calls and Internet traffic. Ultrafast networks will 
require larger capacities for storing and analyzing data. The former is relatively 
easy, Since storage capacity continues to grow (though the costs involved are 
the subject of a major discussion); the latter is a significant problem. Analyz- 
ing vast amounts of data needs to be automated, for example, by means of data 
mining. However, most data mining technologies are not yet sophisticated 
enough for large-scale use. Furthermore, a major disadvantage is that the risk 
profiles resulting from the automated analyses may not be accurate. False-pos- 
itives may result in investigating and even arresting innocent people. False- 
negatives may result in criminals and terrorists being out of scope. 

When risk profiles have limited accuracy, they should only be used with 
the utmost care, in order to prevent investigating and arresting innocent peo- 
ple. It is recommended to always perform double checks on existing risk pro- 
files and not to merely rely on data in databases, but to also conduct significant 
fieldwork. In order to prevent the worst forms of unjustified discrimination 
and social polarization, it is recommended not to include sensitive personal 
data, such as religion and ethnic background, in the risk profiles. 

It is important to note that the increasing speed of network communica- 
tion on tapping and data retention does not present much of a difference to civil 
liberties issues. Issues like privacy, guilt by association and wrongful arrest do 
not present much of a difference if a fast or slow network is presented. How- 
ever, the combined effects of new technologies and new powers for govern- 
ment organizations have far-reaching consequences for the constitutional rights 
and privacy of individuals. Recent research in the Netherlands shows that the 
over the past few years, the Dutch government has approved numerous laws 
that have drastically increased the intelligence-gathering powers of the police, 
judiciary and intelligence services (Vedder et al. 2007). 

Summarizing, tapping and data retention in the age of ultrafast commu- 
nication networks may be very useful to reveal criminal and terrorist networks 
and to find first offenders. Both aspects are increasingly needed in the fight 
against crime and terrorism. However, because of the increasing amounts of 
data that are communicated over ultrafast networks, it is vital to start by de- 
termining which data should be collected. Even though all data can be stored, 
it is not recommendable to do so because the overview will be lost. It is better 
to make a selection of the data that may be useful. This will make the approach 
better targeted and effective than storing and analyzing all available data. 


298 


Notes 


[1] See for instance Article 12 of the Universal Declaration of Human Rights and Article 
8 of the European Convention on Human Rights. 

[2] Note that actually cutting the cable is not necessary to tap the information flow. 

[3] Generally speaking, optical transmission is in only one direction, whereas wireless 
transmission is usually in all directions. As a result the strength of a wireless signal de- 
creases with a factor of 1/1? over a distance r. 

[4] Note that telephone and Internet data do not include such characteristics; however, 
they may be derived with some accuracy from location data, since particular locations 
may be indicators for characteristics like ethnic background and religion. 

[5] European Directive 95/46/EG of the European Parliament and the Council of 24" Oc- 
tober 1995, [1995] OJ L281/31. 

[6] See <http://s3-hq.oecd.org/scripts/pwv3/pwhome.htm>. 

[7] See <http:/www.coe.fr/dataprotection/Treaties/Convention%20108%20E.htm>. 


References 


1. Abelson, H., Anderson, R., Bellovin, S.M., Benaloh, J., Blaze, M., Diffie, W., Gilmore, 
J., Neumann, P.G., Rivest, R.L., Schiller, J.I., and Schneier, B. (1998) The Risks of Key 
Recovery, Key Escrow & Trusted Third Party Encryption; A report by an ad hoc group 
of cryptographers and computer scientists. <www.cdt.org/crypto/risks>. 

2. Adriaans, P., and Zantinge, D. (1996) Data mining, Harlow, England: Addison Wesley 
Longman 

3. Akdeniz, Y. (1998) No Chance for Key Recovery: Encryption and International Prin- 
ciples of Human and Political Rights. In: 4 International Conference on Ethical Issues 
of Information Technologies, Ethicomp 98, Rotterdam. Zielinski, C. (1998) The Ethics 
of Encryption, In: 4” International Conference on Ethical Issues of Information Tech- 
nologies, Ethicomp 98, Rotterdam. 

4. Blok (2002) Het recht op privacy [The right to privacy]. The Hague: Boom Juridische 
Uitgevers. 

5. Bygrave, L.A. (2002) Data Protection Law; approaching its rationale, logic and lim- 
its, Information Law Series 10, Den Haag: Kluwer Law International. 

6. Custers, B.H.M. (2003) Effects of Unreliable Group Profiling by Means of Data Min- 
ing. In: G. Grieser, Y. Tanaka and A. Yamamoto (eds.), Lecture Notes in Artificial In- 
telligence, Proceedings of the 6th International Conference on Discovery Science (DS 
2003) Sapporo, Japan. Berlin, Heidelberg, New York: Springer-Verlag, Vol. 2843, pp. 
290-295. 

7. Custers, B.H.M. (2004) The Power of Knowledge, Tilburg: Wolf Legal Publishers. 

8. Fayyad, U.M., Piatetsky-Shapiro, G., and Smyth, P. (1996) From Data Mining to 
Knowledge Discovery: An Overview. In: U.M. Fayyad G. Piatetsky-Shapiro, P. Smyth 
and R. Uthurusamy (eds.) Advances in knowledge discovery and data mining. Menlo 
Park, California: AAAI Press / The MIT Press. 

9. Hagar, N. (1997) Exposing the Global Surveillance System, Covert Action Quarterly, 
Winter 1997. 


299 





10. 


I1. 


12. 


13. 


14. 


15. 


16. 
17. 


18. 


19. 


20. 


21. 


Harvey, J. (1990) Stereotypes and Group-Claims; Epistemological and Moral Issues, 

and their Implications for Multi-Culturalism in Education, Journal of Philosophy of 
Education, Vol. 24, No. 1, pp. 39-50. 

Koops, B.J. (1999) The Crypto Controversy; A Key Conflict in the Information Society, 

The Hague, Netherlands: Kluwer Law International. 

Leprovost, F. (1999) Encryption and Cryptosystems in Electronic Surveillance: A Sur- 

vey of the Technology Assessment Issues. In: Development of Surveillance Technol- 
ogy and Risk of Abuse of Economic Information; An Appraisal of Technologies of 
Political Control. In: D. Holdsworth (ed.) European Parliament, Directorate General for 
Research, Scientific Technological Options Assessment (STOA). 

Madsen, W. (1998) Crypto AG: The NSA’s Trojan Whore? Covert Action Quarterly, 

Winter 1998. 

Markoff, J. (2002) Pentagon Plans a Computer System That Would Peek at Personal 
Data of Americans, New York Times, November 9, 2002. 

Miller, D.A.B. (2004) Ultrafast Digital Processing, In: A. Miller, D.M. Finlayson, D.T. 

Reid (eds.) Ultrafast Photonics, Bristol, Philadelphia: Institute of Physics Publishing. 

Raessens, B. (2001) E-business, Your Business. Utrecht: Lemma. 

Schaller, R.R. (1997) Moore’s Law: Past, Present and Future, Spectrum, IEEE, Volume 
34, June 1997, pp. 52-59. 

Schneier, B. (2000) Secrets and Lies; Digital Security in a Networked World, New York: 

Wiley Computer Publishing, p. 241. 

Solove, D. (2004) The Digital Person, Technology and Privacy in the Information Age, 
New York: New York University Press. 

Van der Lubbe, J.C.A. (1997) Basismethoden cryptografie, Delft: Delftse Universitaire 
Pers. p. 143. Systems with exceptional access include key recovery systems, key escrow 
systems, or trusted third-party encryption. 

Vedder, A. Vedder, A.H., Wees, L. van der, Koops, B.J., & Hert, P.J.A. de (2007). Van 
privacyparadijs tot controlestaat? Misdaad- en terreurbestrijding in Nederland aan 
het begin van de 21ste eeuw. Den Haag: Rathenau Instituut. (Studies Rathenau Instituut, 
49). 


300 


Privacy-enhancing user-friendly Identity Management 
for Location Based Services using PRIME 
technology — A legal discussion 


Eleni Kosta', Jan Zibuschka’, Tobias Scherner? & 
Jos Dumortier! 


' Interdisciplinary Centre for Law & ICRI 2 Frankfurt University 
ICRI-K.U.Leuven Chair for Mobile Business and Multilateral 
Sint-Michielsstraat 6 Security 
B-3000 Leuven GrafstraBe 78, D-60054 
Belgium Frankfurt am Main, Germany 
{name.lastname} @law.kuleuven.be {zibuschka, scherner} @m-lehrstuhl.de 


Abstract: The term Location Based Services (LBS) is used for 
applications that leverage the user’s physical location to provide an en- 
hanced service or experience, such as route guidance, tourist and weather 
information etc. The traditional LBS implementation allows the Mobile 
Operator as well as the Application Provider of the Location Based Serv- 
ice to have access to a large amount of personal data of the user. The 
PRIME toolbox, an identity management system, can be used in mobile 
applications in order to enhance the privacy of the user. In this paper we 
are going to present the PRIME toolbox and examine it from a legal 
viewpoint, using a Pollen Warning Application as our case study. 


Keywords: Location Based Services, location data, privacy, data controller, 
PRIME 


Introduction 


The term Location Based Services appeared in the end of the 90s and is used 
for applications that leverage the user’s physical location to provide an en- 
hanced service or experience [1], such as route guidance, location of stolen or 
missing property, tourist and weather information etc. Primary role in Location 
Based Services play the location data that enable the identification of a wire- 
less device. The provision of such services involves the processing of differ- 
ent types of personal data of the user, such as his location data, i.e the data 
indicating the geographic position of the terminal equipment, his contacts, pref- 
erences, etc, depending on the type of Location Based Service. The conven- 
tional LBS deployment involves the Mobile Operator, who has the 
identification and location data of the user, and the Location Based Service 
Application Provider (hereafter LBS Application Provider), who offers the spe- 


301 





cific information for the provision of the service, such as maps, directories etc. 
In this deployment both the Mobile Operator and the Application Provider 
process a great amount of personal data of the user, allowing them to create ex- 
cessive profiles. Based on the concept “the machine is the problem: the solu- 
tion is in the machine” (Poullet, 2006, p. 206), privacy friendly user centric 
identity management systems are being deployed, aiming at assisting the user 
in gaining more control over his personal data. In this paper the PRIME tool- 
box, a privacy enhancing identity management system, implemented in a Lo- 
cation Based Service application that warns users of pollen sensitive areas, will 
be presented and analysed from a legal viewpoint. 


Overview 


As already mentioned, in a conventional LBS deployment, the only interacting 
parties are the Mobile Operator (MO) and the LBS Application Provider (AP). 
This often leads to implementations where the user has to do a lot of configu- 
ration individually for each service, which makes for instance configuration 
of complex privacy policies infeasible from a usability point of view. Addi- 
tionally, information is often transmitted quite freely between the involved par- 
ties (see Figure 1), based on the user’s agreement to a catch-all type privacy 
policy proposed by the individual Application Provider. This undisciplined in- 
formation flow leads to the Mobile Operator gaining knowledge about service 
specifics, and as of such details of the users’ habits, while the LBS Application 
Provider learns the user’s identity. 

To address those weaknesses, an Intermediary architecture as discussed 
in (Koelsch et al., 2005) and (Zibuschka et al., 2007) may be deployed, intro- 
ducing an additional party decoupling the Mobile Operator and the LBS Ap- 
plication Provider. Information intermediaries have been discussed by e.g. 
(Rose, 2003), and involving such a third party offers a high flexibility regard- 
ing business models and market structure, beneficial properties in the volatile 
mobile market. While the term “intermediary” suggests an independent entity, 
the Intermediary component doesn’t have to be deployed by independent par- 
ties, but may also be deployed e.g. or on the Mobile Operator’s systems. In 
this case appropriate organizational measures should be put in place to ensure 
an equivalent partitioning of information (between different entities within the 
MO). However, deployment at an independent party is very common and vi- 
able, for instance at MVNOs (Mobile Virtual Network Operators, resellers that 
do not operate their own infrastructure). The possible market structures and 
deployment models are discussed in more detail in (Zibuschka et al., 2006, 
section IV). 

The Location Intermediary (or simply Intermediary) offers solutions for 


302 


presently not adequately solved problems. First of all, the proposed orchestra- 
tion provides a uniform policy- and consent-management facility, which al- 
lows configuring several services via the same interface. The Intermediary 
approach provides also a de-coupling of service-centric user identity and core 
identity information available in the underlying information flows of the tra- 
ditional Mobile Operator scenario. Furthermore, the deployment of an Inter- 
mediary could be used as a relay for users’ communications and thus 
anonymise traffic towards the LBS Application Provider. 

So, generally speaking, the Intermediary architecture decouples the par- 
ties involved in the classic scenario (Mobile Operator & LBS Application 
Provider) while enabling advanced privacy functionalities in a user friendly 
way. The configuration is also attractive for the other involved parties, and eco- 
nomically viable, offering high flexibility for deployment scenarios and busi- 
ness models (Scherner, 2007). The Mobile Operator delivers localisation and 
billing services without acquiring any additional personal information of its 
subscribers (such as service usage or allergy profiles). The LBS Application 
Provider can offer the service without requiring user identification. Thus, the 
Intermediary can be seen as a kind of identity border, hiding the user’s iden- 
tity from the individual LBS Application Providers, as depicted in Figure 2. 


Intermediaries and Information Distribution 


In the conventional scenario, as already described, both the Mobile Operator 
and the LBS Application Provider gain a more or less complete view of the 
users’ LBS-related activities. They can build movement profiles, learn details 
of service usage and invested money, as described in the Table 1, taken from a 
case study executed within the PRIME project. [2] 

In comparison, in an Intermediary scenario, Mobile Operator and LBS 
Application Provider only see data that are necessary for the provision of their 
service. If personal data are not critical to the functions an entity is perform- 
ing, it will at most see an encrypted or obfuscated version of them. As described 
above, the Intermediary decouples the entities involved in the LBS scenario, 
and thereby allows for a more privacy-preserving distribution of information 
in the system. Specifically, the system employs pseudonyms (both temporary 
and static, depending on the specific use) to route location information, deter- 
mine matching Regions of Interest (ROIs, high levels of pollen in certain areas 
in this case), and send notifications to the user. 

The following paragraphs will shortly describe the technology behind an 
Intermediary system, as implemented in the PRIME project. [3] The method 
employed to determine whether the user has entered a notification area will be 
presented in more detail, leading to an achieved information distribution. Note 


303 


that some steps are simplified, e.g. cryptographic details of the obfuscation 
steps are omitted, so this description should not be used for thorough techno- 
logical evaluation. However, the actual information transmissions will only be 
more privacy-preserving than they appear in this overview. 


The prototype workflow can be roughly divided into 3 steps: 


Step 1: The user has to subscribe to and to configure the service. 

Step 2: After being initialised, the service starts to determine the Re- 
gions of Interest for the corresponding user profile. 

Step 3: In the case that the user profile matches with the actual or fore- 
casted pollen population; the user gets notified via a pre-deter- 
mined channel (an SMS message in our scenario). 


The user first subscribes to a service, configuring the access policies to 
his location for this service, which is stored at the Mobile Operator and used 
to control access to the location information. He also configures his service 
profile, consisting of his interests, and thus the regions he wants to be notified 
about. Those are stored at the Intermediary in an obfuscated fashion, so that the 
Intermediary is able to match incoming regions to users, but cannot discern 
the user’s specific interests. A static pseudonym 1 is created and shared be- 
tween Intermediary and LBS Application Provider. Such a static pseudonym is 
needed for matching a user’s allergy profile to Region of Interest updates, en- 
coded using an obfuscation scheme by the LBS Application Provider. The 
user’s allergy profile is stored at the Intermediary in an obfuscated way, pre- 
venting access of both Mobile Operator and Intermediary to the allergy data. 

The Intermediary regularly receives updates of Regions of Interest 
(bound to the static pseudonym 1) and user location (from the Mobile Opera- 
tor, via the stored policies), checking whether a user notification is necessary. 
If a match is determined, it is returned to the LBS Application Provider, using 
a transaction pseudonym 2, ensuring unlinkability of matches — the LBS Ap- 
plication provider cannot discern which user has initiated the transaction, as a 
new pseudonym is generated every time. A pseudonymous, (transaction pseu- 
donym 2) generic notification is then prepared by the LBS Application 
Provider, re-personalised at the Intermediary if needed, and then transmitted to 
the user via the Mobile Operator (see Figure 3). This leads to a scenario where 
personal data are fragmented between the different entities, and linked to pseu- 
donyms that do not allow for easy identification, as presented in the Table 2 [4]. 

In the PRIME project the PRIME toolbox is tested in a Pollen Warning 
Location Based Service Prototype. A derivative infrastructure component has 


304 


also been developed and deployed by a major European Mobile Operator, 
demonstrating that the concept is valid, deployment is easy, and the costs in- 
curred by users in this implementation are negligible. This Pollen Warning 
service is a push service [5] and employs advanced mobile terminals realising 
a sophisticated privacy-preserving provisioning of location based services, 
where notifications are not triggered directly by the user. Such an application 
presents a great interest from a legal point of view. Besides the general con- 
siderations regarding Location Based Services, such as the conditions under 
which processing of location data is allowed, defining the data controller and 
his privacy obligations etc, this push service presents particular interest be- 
cause it involves information about the allergies of a user, as well as his local- 
isation in predefined periods, and not upon his individual request. Such 
“tracking” services allow the creation of motion profiles and thus have much 
greater potential privacy repercussions than punctual, user-initiated localisa- 
tions. In the chapters that follow we will examine some critical legal issues, 
using the Pollen Warning Location Based Services Prototype as a case study. 


Personal data in an Intermediary LBS application 


The PRIME toolbox involves an Intermediary that creates an invisible “wall” 
in the flow of personal data between the Mobile Operator and the LBS Appli- 
cation Provider. In this way the two aforementioned entities receive only the 
information that is necessary for the provision of their service and the basic 
privacy principle of data minimisation, according to which “personal data must 
be [...] adequate, relevant and not excessive in relation to the purposes for 
which they are collected and/or further processed” [6], is respected. 


Handling with pseudonymous data 

As defined by the data protection directive in Article 2(a) ‘personal data’ shall 
mean any information relating to an identified or identifiable natural person 
(‘data subject’). When the natural person can not be directly identified, it has 
to be examined whether the person is identifiable, thus whether he can be iden- 
tified, directly or indirectly, in particular by reference to an identification num- 
ber or to one or more factors specific to his physical, physiological, mental, 
economic, cultural or social identity (Art. 2(a); al. 2 data protection directive). 
Recital 26 of the data protection directive reads that in deciding whether data 
could be used to identify a particular person “account should be taken of all the 
means likely reasonably to be used either by the controller or by any other per- 
son to identify the said person” (emphasis added). Thus the recital sets two cri- 
teria for identifiability: the probability and the difficulty that tend to be 
interlinked (Bygrave, 2002, p.44). 


305 


The Pollen Warning PRIME-enabled LBS prototype entails the pro- 
cessing of several types of data that qualify per se as personal data, such as the 
contract and billing data of the user, his IP-Address (which is easily linkable 
to the user’s identity by the Mobile Operator), traffic and location data, avail- 
able to the Mobile Operator. Besides these data, the prototype pertains to data 
that are pseudonymous. Regarding these data, it has to be examined whether 
they can be considered as data relating to an identified or identifiable natural 
person and thus qualify as personal data. According to Kuner , “pseudonymous 
data are still subject to data protection law since they could be tied to the in- 
dividual” (Kuner, 2007, par.2.10). The Article 29 Working Party [7] adopted a 
similar position, stating that “[r]etraceably pseudonymised data may be con- 
sidered as information on individuals which are indirectly identifiable” (Art. 29 
WP, Opinion 4/2007, p.18). Given that pseudonymous data can be retraced by 
the Intermediary and some of them possibly by the Mobile Operator, these data 
are indeed personal data and the data protection legislation will apply on them 
as well. 


Allergy data 


The data protection directive provides in Article 8 (1) for the prohibition of the 
processing of special categories of data, commonly known as sensitive data. 
Such data are the personal data revealing racial or ethnic origin, political opin- 
ions, religious or philosophical beliefs, trade-union membership and data con- 
cerning health data or sex life. The processing of the aforementioned data is 
only allowed on grounds explicitly mentioned in Article 8 (2)-(7) of the direc- 
tive. 

In order to subscribe to the Pollen Warning application, the user has to 
specify his allergy profile. At this point it is crucial to examine whether the 
relevant data fall under the category of sensitive data. According to Article 8 
(1) data protection directive, the data “concerning health or sex life” are con- 
sidered as sensitive data and from a first look it would seem that the user’s data 
regarding his allergies are sensitive data. The European Court of Justice has 
taken the position that the expression “data concerning health [must be given 
a] wide interpretation, so as to include information concerning all aspects of the 
data subjects, both physical and mental, of the health of an individual” [8]. 

However, the directive asks for data “concerning health life meaning 
that the data shall have direct connection with the health or the state of the 
health of the data subject (De Bot, 2001, p.154). If the personal data merely “re- 
veals” the medical condition of the data subject, it falls outside the protective 
ambit of Article 7 of the directive (De Bot, 2001, p.154). In the prototype, the 
user does not have to demonstrate that he has an- allergy against the specific 


306 


type of pollen he is subscribing for in the Pollen Warning application. He can 
subscribe just for fun, to check how such a service would work, he can sub- 
scribe on behalf of somebody else, such as his little baby, or out of scientific 
interest. Therefore the data regarding the allergy do not qualify as data con- 
cerning health life and shall not be handled according to the specific provi- 
sions of Article 8 data protection directive. Nevertheless it is to be pointed out 
that in case the contract signed between the subscriber and the Mobile Opera- 
tor contains explicitly the term that the subscriber needs to declare that he has 
indeed the allergy he is subscribing to, then the relevant data would be sensi- 
tive data, according to the data protection legislation. 


Defining the data controller 


The data controller is “the natural or legal person, public authority, agency or 
any other body which alone or jointly with others determined the purposes and 
means of the processing of personal data” [9]. In the traditional Location Based 
Service model, the controller of the data can be either the LBS Application 
Provider or the Mobile Operator or both of them can be controllers of the data, 
depending on who determines the purposes and means of the processing of 
personal data. However in practice, according to the contractual agreements 
between the LBS Application Provider and the Mobile Operator, it is the lat- 
ter that actually determines the purposes and means of the processing of per- 
sonal data and is therefore the controller of the data. 

The problem of defining the controller of the data in the new telecom- 
munications networks is already identified by the Consultative Committee of 
the Convention for the protection of individuals with regard to automatic pro- 
cessing of personal data of the Council of Europe: “Nowadays [...] this model 
in which a sole person or body is responsible for determining the parameters 
of the automatic processing is increasingly challenged by examples to the con- 
trary. Several actors, among which are the controller or co-controllers, the 
processor(s) and the service provider(s), interact in the processing. As a result, 
data subjects might not always know whom to turn to in order to exercise their 
rights” (Council of Europe, T-PD-BUR, 2006, 08 E fin). 

In the PRIME enabled Pollen Warning application three main actors, 
besides the user, are participating: the Mobile Operator, the Application 
Provider and the Intermediary and according to the aforementioned argumen- 
tation the contractual relationships among them shall determine who is the con- 
troller of the data and eventually who is the processor [10] of the data, if any. 
The relationships among them are much more complicated than in the con- 
ventional Location Based Services deployment, as besides the increased num- 
ber of participants, each of the respective actors knows only some information 
about the subscriber or the user, i.e. the Mobile Operator knows the contract 


307 


data of the subscriber, the Intermediary, the location data and the information 
of the cloaked allergy profile, the LBS Application Provider has information 
about one allergy (as the information is transferred to him via a transaction 
pseudonym every time, so he can not tell that the data refer to the same indi- 
vidual) etc (see Table 2). Identifying the controller in a data processing oper- 
ation is crucial not only for the fulfilment of the obligations imposed to the 
controller by the data protection legislation and the determination of liability 
issues that might arise, but also for the exercise of the rights of the data sub- 
ject. In the Intermediary scenario not only the Mobile Operator, but also the In- 
termediary and the Application Provider are involved in the provision of the 
service and therefore “it is up to them to clarify among themselves who is re- 
sponsible for what, taking account of legal criteria. Otherwise they might be 
held jointly responsible for any damage” (Council of Europe, T-PD-BUR, 
2006, 08 E fin). It shall be noted that in the Intermediary scenario the LBS Ap- 
plication Provider processes only anonymous data, as the user is known to him 
only by a transaction pseudonym that is generated every time the service is 
used, so he will not qualify as data controller anyway. Nevertheless, in order 
to avoid situations where the user will have to address several actors in order 
to obtain some information or to exercise his rights, it would be suggested that 
a similar approach to the one already discussed for the traditional Location 
Based Services scenario. The Mobile Operator shall be considered controller 
of the data and thus responsible towards the user and this fact shall be included 
and demonstrated in the contractual agreements between the Mobile Operator, 
the Intermediary and the LBS Application Provider, where the liability issues 
among the aforementioned parties shall be regulated (Kuner, 2007, par. 2.23 
ff.). 

This solution is also to the benefit of the user, who will be able to exer- 
cise his rights in front of the Mobile Operator, as a single point of contact, and 
will not need to be involved in understanding complicated relationships be- 
tween the entities involved for the provision of the service: he signs a contract 
with the Mobile Operator, interacts with the Mobile Operator for the provision 
of a Location Based Service and it is the Mobile Operator he will turn to in 
order to exercise his privacy rights. Such rights are the right to ask the rectifi- 
cation of data, to delete them, block them, as well as the right to object to the 
processing of some of his data. 


Consent of the data subject 


According to Article 2 (h) data protection directive “the data subject’s consent 
shall mean any freely given, specific and informed indication of his wishes by 
which the data subject signifies his agreement to personal data relating to him 
being processed” and it is one of the main grounds for making data processing 
legitimate [11]. 


308 


Information to be given to the data subject 


The Intermediary application presupposes the processing of location data, for 
which the European data protection legislation foresees special rules. Before 
obtaining the consent, the service provider (in our case the Mobile Operator, 
according to the analysis made in Section 5) must provide the individual with 
specific information regarding the type of location data that will be processed, 
of the purposes and the duration of the processing and whether the data will be 
transmitted to a third party for the purpose of providing the Location Based 
Service (Art. 9(1) ePrivacy dir.). More information needs to be given to the 
user according to the provisions of the data protection directive and the ePri- 
vacy directive. Such information deriving from article 10 data protection di- 
rective and articles 6 and 9 ePrivacy directive is: the identity of the controller 
and of his representative, if any, the purposes of processing, the type of loca- 
tion data processed, the duration of processing, whether the data will be trans- 
mitted to a third party for the purpose of providing the value-added service, the 
right of access to and the right to rectify the data, the right of users to withdraw 
their consent at any time or temporarily refuse the processing of such data, and 
the conditions on which this right may be exercised, the right to cancel the data 
(Article 29 WP, Opinion on the use of location data, p. 4-5). The aforemen- 
tioned information is given to the user in the privacy policy he has to accept, 
before the initiation of the service. 

The information shall be provided by the party collecting the location 
data for processing. Based on our analysis regarding the controller of the data 
the responsible for the provision of the aforementioned information to the user 
shall be the Mobile Operator. The information shall not be given in the general 
contract terms, but it could be provided either directly each time the service is 
used or in the general terms and conditions for the Location Based Service. In 
the latter case the Mobile Operator should make the information available so 
that the individuals concerned can consult it again at any time and by a simple 
method, such as via a website or while using the service (e.g. dialling a toll-free 
number) (Article 29 WP, Opinion on the use of location data, p. 5). 


Withdrawal of consent 


The possibility of switching on and off the Location Based Service is foreseen 
in Art. 9(2) ePrivacy dir., according to which “where consent of the users or 
subscribers has been obtained [...], the user or subscriber must continue to 
have the possibility, using a simple means and free of charge, of temporarily 
refusing the processing of such data for each connection to the network or for 
each transmission of a communication”. The user shall be therefore able to 


309 


withdraw his consent easily. The ways this can be done in the Pollen Warning 
application is either by (temporarily) deactivating the privacy policy or by un- 
subscribing at the PRIME console. 


Storage and retention of traffic and location data 


The location data used for the provision of a Location Based Service shall be 
processed only to the extent and for the duration necessary for the provision of 
the service [12]. After that they should be deleted or made anonymous. Traf- 
fic data relating to subscribers and users processed and stored by the provider 
of a public communications network or publicly available electronic commu- 
nications service must be erased or made anonymous when they are no longer 
needed for the purpose of the transmission of a communication. [13] However 
the aforementioned providers may process traffic data for the provision of value 
added services, if the subscriber or user to whom the data relate has given his 
prior consent [14]. 

Additionally to these provisions the European Union recently adopted a 
directive that asks for the retention of specific types of traffic and location data 
in order to ensure that they are available for the purpose of the investigation, 
detection and prosecution of serious crime; the data retention directive. The 
Location Based Service is a communication [15] under the definition of Arti- 
cle 2(d) ePrivacy directive and thus some data relative to the service shall be 
retained. The data retention obligations that are defined in the directive cover 
only the Mobile Operator as it is the only actor who is a provider of publicly 
available electronic communications services. Therefore the Mobile Operator 
shall retain in a way that they are available to the law enforcement agencies the 
data that allow the identification of the subscriber or the registered user, the 
telephone service used, the International Mobile Subscriber Identity (IMSI) 
and the international Mobile Equipment Identity (IMEI) of the mobile device. 
When it comes to data necessary to identify the date, time and duration of a 
communication concerning mobile telephony, the provider shall retain the date 
and the time of the start and end of a communication. Moreover the provider 
shall retain the location label (Cell ID) at the start of the communication. 

Location Based Services are not however the typical communication 
that is offered via mobile telephone networks and the last two cases present 
some difficulties in their interpretation especially in the case of push services. 
In the Pollen Warning Service for instance the user can configure its settings 
in a way so that his phone is localised for instance from Monday to Friday be- 
tween 15.00 and 20.00. Based on this preference the Mobile Operator will lo- 
calise the device of the user, let’s say, every 5 minutes, and will inform him, 
when his user profile matches with actual or forecasted pollen population. In 


310 


this case it is not very clear when the communication starts, in order to retain 
the data relating to the Cell ID at the start of the communication, nor is it easy 
to say whether the data of all localisations in the requested time period shall be 
retained, or only the ones that result in a positive answer and an SMS is sent 
to warn the user that he is indeed in a dangerous zone for his allergies. 


Conclusion 


In the traditional implementation of Location Based Services the Mobile Op- 
erator and the LBS Application Provider have access to a large amount of in- 
formation that is not needed for the part of the service they offer. The Mobile 
Operator gains knowledge about service specifics, and consequently details of 
the users’ habits, while the LBS Application Provider learns the user’s identity, 
something that it not necessary information for him. The Intermediary scenario 
using PRIME technology is decoupling the Mobile Operator and the LBS Ap- 
plication Provider. It involves the presence of a third entity, an Intermediary, 
who is ensuring that only the absolutely necessary data will be transmitted to 
each of the aforementioned players and is able to link the pseudonyms of the 
users in order to make sure that the correct service is offered to the right user. 
This model is more privacy friendly and allows the user to have more control 
over his personal data. Privacy Enhancing Technologies, such as the PRIME 
toolbox, can assist individuals to secure themselves against technology viola- 
tions and allow them to “enable upstream control of privacy rights as well as 
individual control.” (Lessig, 2006, p. 231). 


Notes 


* This work was supported by the European Union IST PRIME project; however, it repre- 
sents the view of the authors only. 


[1] http://forum.nokia.com/main/resources/technologies/location_based_services.html (last 
accessed 05.10.2007) 

[2] PRIME Project, PRIME LBS Application Prototype V2 - High Level Design, Internal 
Deliverable 4.1.b.3.4, 2007 

[3] PRIME Project, PRIME LBS Application Prototype V2 - High Level Design, Internal 
Deliverable 4.1.b.3.4, 2007 

[4] PRIME Project, PRIME LBS Application Protetype V2 - High Level Design, Internal 
Deliverable 4.1.b.3.4, 2007 

[5] Location Based Services that are triggered by the user, like the “Find my nearest...”, 
are called pull services. 

[6] Art. 6(1)(c) data protection directive. 


Individuals with regard to the Processing of Personal Data is established, made up of the 
Data Protection Commissioners from the Member States together with a representative of 


311 


the European Commission. The Working Party is independent and acts in an advisory ca- 
pacity. The Working Party seeks to harmonise the application of data protection rules 
throughout the EU, and publishes opinions and recommendations on various data protec- 
tion topics. 

[8] European Court of Justice, Lindqvist v. Sweden, 6 November 2003, Case C-101/01, 50 
[9] Article 2 (d) data protection directive. 


[10] According to Art. 2 (e) “processor shall mean a natural or legal person, public author- 
ity, agency or any other body which processes personal data on behalf of the controller. 


[11] Art. 7(a) data protection directive 
[12] Article 9(1) ePrivacy directive . 
[13] Art. 6 (1) ePrivacy directive. Exceptions are foreseen for the retention of traffic (and 


location data) for the purpose of the investigation, detection and prosecution of serious 
crime see analytically section 7. 
` [14] Art. 6 (3) ePrivacy directive 

[15] ‘Communication’ means any information exchanged or conveyed between a finite 
number of parties by means of a publicly available electronic communications service. This 
does not include any information conveyed as part of a broadcasting service to the public 
over an electronic communications network except to the extent that the information can 
be related to the identifiable subscriber or user receiving the information (Article 2(d) ePri- 
vacy directive) 


References 


1. Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal 
data, WP136, 20 June 2007. 


2. Article 29 Data Protection Working Party, Opinion on the use of location data with a 
view to providing value-added services, WP 115, 25 November 2005. 


3. Bygrave L. (2002). Data Protection Law — Approaching its Rationale, Logic and Lim- 
its. The Hague, London, New York. Kluwer International. 

4. Consultative Committee of the Convention for the protection of individuals with re- 
gard to automatic processing of personal data of the Council of Europe. Opinion of 
the T-PD n the interpretation of the concepts of automatic processing and controller 
of the file in context of worldwide telecommunications networks, as adopted by the 
T-PD at its 23" meeting, T-PD-BUR (2006) 08 E fin (Strasbourg, 15 March 2007). 


5. De Bot D. (2001). Verwerking van persoonsgegevens. Antwerp. Kluwer. 
Directive 95/46/EC of the European Parliament and of the Council of 24 October 


1995 on the protection of individuals with regard to the processing of personal data 
and on the free movement of such data, L281, 31, 23 November 1995. 


7. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 
concerning the processing of personal data and the protection of privacy in the elec- 
tronic communications sector, O.J. L201,37, 31 July 2002. 

8. Directive 2006/24/EC of the European Parliament and of the Council on the retention 
of data generated or processed in connection with the provision of publicly available 
electronic communications services or of public communications networks and 
amending Directive 2002/58/EC, O. J. L105, 54, 15 March 2006. 


9. Koelsch, T., Fritsch, L., Kohlweiss, M. & Kesdogan, D. (2005). Privacy for Prof- 


312 


10. 


11. 
12. 


13. 


14. 


15. 


16. 


itable Location Based Services. In Proceedings of the Second International Confer- 
ence on Security in Pervasive Computing (SPC 05). Lecture Notes in Computer Sci- 
ence. LNCS 3450, Boppard (pp. 164-179). Berlin: Springer. 


Kuner Ch. (2007). European Data Protection Law — Corporate Compliance and Reg- 
ulation. Oxford University Press, 2" edition. 


Lessig L. (2006). Code and other laws of cyberspace. New York. Basic Books. 


Poullet Y. (2006). The Directive 95/46/EC: Ten years after. Computer Law and Se- 
curity Report Volume 22, pp.206-217 


Rose, F. (1999). The economics, concept and design of information intermediaries. 
Heidelberg, Germany: Physica Verlag. 


Scherner, T. (2007). Enabling Efficient and Privacy-friendly Location-based Serv- 
ices with Standardized Intermediary Infrastructures. In Proceedings of the 13th Amer- 
icas Conference on Information Systems, Keystone. Fort Collins: Colorado State 
University. 


Zibuschka, J., Scherner, T., Fritsch, L. & Rannenberg, K. (2006) Towards a Unified 
Interface for Privacy Regulation-conformant Location-based Services. W3C Work- 
shop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforce- 
ment, Ispra, Italy, http://www.w3.org/2006/07/privacy-ws/papers/33-zibuschka- 
location-based/ 

Zibuschka, J., Fritsch, L., Radmacher, M., Scherner, T. & Rannenberg, K. (2007). 
Enabling Privacy of Real-Life LBS: A Platform for Flexible Mobile Service Provi- 
sioning. In Venter, H. (ed.) Proceedings of the 22nd IFIP TC-11 International Infor- 
mation Security Conference, Sandton, South Africa. New York: Springer. 


Appendix 


Figure 1 Classic LBS scenario 


Mobile Operator 
learns user's services & 
all usage pattems 
-can monitor sent 
notifications 
-can derive e.g. allergies 





LBS Application 
Provider 
-usage patterns 
-needs to identify user for 
billing 
-movement profiles 
-per service configuration 
of policies and consent 


313 


Figure 2 LBS prototype / Intermediary scenario (schematic) 


Mobile Operator 
-localization and bilting 
-controls service access to 4 ocation intermediary 
location -decoupling 
(pseudonymization/ 
repersonalization} 
-uniform management of 
consent & policies 
-proxies service 
connections to MO 
-matching of profites to 














User identity 
identity Border — 


Pseudonym 








LBS Application 
Provider 
-privacy-preserving service 
provision using 
pseudonyms 


Figure 3 LBS prototype sequence 





22 Locsin upi aes | 


* Repersoraiine amd Kee notieca: 






ac" oe ieee peiie and locaton F: i nt 2a AOI updates 
2nfNobtaabon epar SONA St $ n Ib Sene Motitecation 
“, 


{ 


1a Subscribe w PE ie 


314 





Table 1: Conventional LBS Deployment Distribution of Information 


Mobile Operator LBS Application Provider 
e Contract Data e User Identity 

o Name o Name 

o Address o Address 

o Phone Number o Phone Number 

oO... o e-Mail 
e Position (at any time mobile device is on) paa 
e Time(s) of Localization(s) e Position (while using service) 
e |P-Address e Time(s) of Localization(s) 
e Billing Data e Mobile operator 
e Service Usage (personal interests, including e Service Usage Patterns 


profiles, e.g. allergies) 
e Transmitted Notifications 


Table 2: PRIME LBS Partitioned Information 









LBS Application Provider 


e Corresponding pseudonyms | Bound to static pseudonym fs 
(1&2) e Intermediary used Bound to 
User location (when needed)| transaction pseudonym 2 

e ROIs (when needed) è One allergy 

e Time of match 

e Involved ROIs General knowl- 
edge: 

e Subscriptions/Unsubscriptions - 
e Obfuscation of application pa- 


rameters 


Location Intermedia 
























e Contract Data 
© Position (at any time mobile 
device is on) 

© Time(s) of Localization(s) 

è IP-Address 

e Billing Data 

e Price categories of services 
used 

è Intermediary used 

























315 





The Regulation of Data Privacy in Hong Kong 


Ji Lian Yap 
Teaching Fellow 
School of Law, City University of Hong Kong 
jillyap@fastmail.fm 


Abstract: This paper seeks to provide a critical analysis of the re- 
gulation of data protection in Hong Kong, and then to suggest several re- 
commendations in that regard. In particular, three aspects of regulation 
will be considered, namely, enforced compliance, public consultation 
and public education. In the light of the recent resurgence of interest in 
Confucianism in China, the article also briefly explores how Confucian 
values contribute to this regulatory discussion. The article concludes that 
while there have been commendable efforts in the area of public con- 
sultation and education, the time has come for a greater degree of regu- 
latory compulsion in the form of various suggested reforms with regard 
to criminal sanctions and civil remedies, in order for Hong Kong to de- 
velop a robust data protection regime. This is particularly important in 
our digital age, where data protection is critical for the maintenance of 
trust in e-commerce and online transactions. 


Keywords: Data Protection, Privacy, Hong Kong, Regulation, Confucianism. 


Biographical Notes: Ji Lian Yap is a Teaching Fellow at the School of Law in City 
University of Hong Kong. She obtained her LLM from Cambridge University in 2002 
(with specialization in Commercial Law) and her LLB from the National University 
of Singapore (Deans' List) in 1998. Her teaching and research interests are in the areas 
of Commercial Law and Data Protection. 


1. Introduction 


Data protection legislation has been in force in Hong Kong for slightly more 
than a decade. In this time, Hong Kong’s data protection regime has been ha- 
iled as an example for other Asian nations to follow (Chik, 2005). This paper 
considers the regulation of data protection in Hong Kong. Three particular 
aspects of regulation will be examined, namely, enforced compliance, public 
consultation and public education. In the light of the recent resurgence of in- 
terest in Confucianism in China (Fan, 2007; Ford, 2007), the article examines 
how Confucianism might influence the regulatory discussion. The article conc- 
ludes that while there have been commendable efforts in public consultation 
and education, it is the appropriate juncture to consider a greater degree of re- 
gulatory compulsion with regard to criminal sanctions and civil remedies. In 


317 





this regard, several suggestions will be made for the consideration of legisla- 
tors, the Hong Kong Privacy Commissioner for Personal Data (“PCPD”) and 
other interested parties (such as the Hong Kong Department of Justice). A gra- 
dual shift in regulatory approach to a more confrontational stance is necessary 
in order for Hong Kong to maintain a robust data protection regime, for the 
maintenance of trust in online transactions in our digital age. 


2. Prescriptive legislation versus self-regulation 


In the context of data protection, regulatory options have often been viewed as 
a spectrum, with self-regulation and prescriptive legislation at polar opposites 
(Hong, 2007; Cannataci, 2002; Lundblad, 2002; Chik, 2005; National Inter- 
net Advisory Committee Singapore, 2002). Self-regulation involves the regu- 
lated party both prescribing and voluntarily complying with its own standards. 
In an idealized sense, the underlying basis of this is trust, namely the idea that 
the regulated party can be trusted to know and to do what is right, without ha- 
ving to be coerced. At its best, self-regulation represents an internalization of 
values. The idea is that if values are internalized, proper conduct based on those 
values will follow, without the invasiveness of an external authority prescribing 
and enforcing conduct. The idea of self-regulation may also be extended to the 
regulation of groups of persons or corporate entities who share the same work 
or interest, for example the regulation of press officers. In such instances, it is 
thought that the self-regulating body is likely to have the most in-depth un- 
derstanding of its trade practices and technical requirements and is thus in the 
best position to formulate and implement its own rules. A corollary of this is 
that in order for there to be effective self-regulation, the regulated party needs 
to have a sufficiently high level of education and understanding of the rele- 
vant regulatory issues, in order to effectively formulate its own rules. Other 
more pragmatic advantages of self-regulation are that it may be less costly and 
more flexible. 

However, a fundamental criticism of self-regulation is that it simply does 
not work. Delving deeper, self-regulation has been described as useful tool to 
pay lip-services to issues that are not regarded as important enough to merit 
state regulation (Cannataci, 2002). Regulation is thus seen as a signaling tool 
of what is important, and that failure to impose positive law in respect of an 
issue reveals its insignificance. Another problem with self-regulation is the 
perceived lack of reliability, credibility and transparency. It is perhaps for these 
reasons that prescriptive legislation may be required. 


318 


2.1 Regulatory variables 


In the context of environmental regulation, Sinclair (1997) has suggested that 
a dichotomous view of regulation with command and control regulation and 
self-regulation as mutually exclusive options is unrepresentative and unduly re- 
strictive, and that the better approach is to consider a number of “regulatory va- 
riables, which policy maker can use to fine-tune regulatory options to suit the 
specific circumstances of particular environmental issues” (p. 529). An appa- 
rent difference between prescriptive legislation and self-regulation is that the 
former involves enforced compliance while the latter involves voluntary com- 
pliance. Yet Sinclair points out that in reality there can be strong elements of 
compulsion in self-regulation as well. Within the context of environmental re- 
gulation, Sinclair cites various examples of where the motive for self-regula- 
tion is in fact to avoid the imposition of future legislative control. This is aptly 
characterized as self-regulation “in the shadow of the law.” (Sinclair, 1997 
p.536). 

This insight is equally applicable to the context of data protection as it 
is to environmental regulation. Indeed, self-regulation in the context of data 
privacy may be a response to commercial pressures instead of being a purely 
voluntary move. When the reputation of on-line purchasing portal is enhanced 
due to its compliance with non-binding data protection standards, is that truly 
self-regulation at work? Or would it be more realistic to characterize it as the 
insidious working of the market economy, which can provide sanctions in the 
form of shifts in consumer preference to other more privacy-friendly websites? 

Another useful illustration may be found in the development of data pro- 
tection in Singapore. Singapore’s Model Data Protection Code is voluntary, 
and Singapore is thus generally characterized as having a self-regulatory data 
protection framework (Chik, 2005; Hong, 2007). Yet it can be seen from the 
Report on a Model Data Protection Code for the Private Sector (the “Singapore 
Report”) prepared by the National Internet Advisory Committee Legal Sub- 
committee that one of the motivations for the setting up of a data protection re- 
gime in Singapore was commercial pressure. In the Executive Summary to the 
Singapore Report, it is noted that “the EU is Singapore’s third largest export 
market” (paragraph 2.3), and that an inadequate data protection regime in Sin- 
gapore might impede international trade, in the light of Article 25 of the Data 
Protection Directive 95/46/EC on the Protection of Individuals with regard to 
the Processing of Personal Data and on the Free Movement of such Data. In ad- 
dition, it can be inferred from the Singapore Report that if self-regulation pro- 
ves ineffective, legislative contrels might have to be employed. The Singapore 
Report states as follows: 


319 


“In the longer term, it remains to be seen whether a reliance on vo- 
luntary controls in the private sector would be completely effective 
or whether an appropriate degree of legislative intervention may be 
required. This would depend on the response of industry and consu- 
mers to the self-regulatory regime” (paragraph 6.1.11). 


A flavour of self-regulation “in the shadow of the law” can thus be discerned. 


Looking at the issue from the opposite angle, it is by no means clear that 
prescribed legislation always involves enforced compliance. This is because 
enforcement is a question of degree. Regulators may prefer to adopt a persu- 
asive and conciliatory stance, rather than a rigid and confrontational one. In the 
context of data protection in Asia, the former approach may be preferred when 
data protection rules are first introduced in a society that may not be familiar 
with such ideas. More will be said about this in the context of Hong Kong’s 
data protection regime later in this article. However, the point to note for now 
is that the danger of a maintaining a clear dichotomy between self-regulation 
and prescriptive legislation is that it may not take into account the fact that 
there can be strong and real elements of compulsion in self-regulatory regimes 
on the one hand, and a relaxed enforcement of prescribed legislation on the 
other. 

Another aspect of the dichotomous analysis of regulation is that pre- 
scribed legislation is externally imposed while self-regulation is self-formula- 
ted. However, in reality it often happens that public and industry consultation 
are often carried out in the legislative process, particularly if specialized is- 
sues are involved or if particular interest groups may be affected. In addition, 
education and mindset change are often emphasized in the context of self-re- 
gulation, as self-regulation ideally involves the development of a moral com- 
mitment to certain standards. However, public education and cultural changes 
are just as important within a legislative framework. This is particularly so in 
the context of data protection which is a relatively new concept that may be 
unfamiliar in some Asian societies. Thus the problem with viewing self-regu- 
lation and prescriptive legislation as polar opposites of a regulatory spectrum 
is that such analysis does not recognize the reality that public involvement in 
rule-making as well as public education both often feature strongly at both 
ends of the regulatory spectrum. 

In the field of data protection, Hong Kong has been hailed as an exam- 
ple for other Asian nations. It has been said that “Singapore, like many other 
Asian countries, could learn from Hong Kong’s experience” (Chik, 2005 p.89). 
Hong Kong has prescribed legislation for data protection, in the form of the 
Personal Data (Privacy) Ordinance (“PDPO”) which came into effect in De- 


320 


cember 1996. Yet in a study of Hong Kong’s data protection regime, a dicho- 
tomous approach that merely characterizes Hong Kong as having a prescrip- 
tive legislation-type framework might fail to give proper emphasis to the strong 
focus on public education and cultural change that has been an important plank 
in the development of the data protection landscape in Hong Kong. In the ear- 
lier mentioned study on environmental regulation, Sinclair (1997) had sugge- 
sted that in the light of the problems with a dichotomous view of regulation, 
environmental regulation should instead be approached by considering a num- 
ber of distinct regulatory variables. In the context of data protection in Hong 
Kong, we shall see that three aspects of regulation were important in the de- 
velopment of its data protection regime. These are: enforced compliance, pu- 
blic consultation and public education. In the next section we shall consider 
each of these factors. 


3. Hong Kong’s Data Protection Framework 


The concept of privacy is entrenched in the Basic Law of the Hong Kong Spe- 
cial Administrative Region of the People’s Republic of China (“Basic Law”), 
which sets out the relationship between the central Chinese authorities and 
Hong Kong. This includes the fundamental rights of Hong Kong residents, in- 
cluding Articles 28 (relating to personal privacy), 29 (relating to territorial pri- 
vacy) and 30 (relating to privacy of communication). 

With regard to data privacy, the centerpiece of Hong Kong’s data pro- 
tection framework is the PDPO. As stated in its long title, the PDPO is an Or- 
dinance to protect the privacy of individuals in relation to personal data. It was 
enacted in 1995 and has been in force since December 1996. At the heart of the 
PDPO are a set of Data Protection Principles in Schedule 1, which govern the 
purpose and manner of collection of personal data, the accuracy and duration 
of retention of personal data, the use and security of and access to personal 
data (amongst other things). The Data Protection Principles apply to “personal 
data” as defined in section 2 of the PDPO. Pursuant to section 4 of the PDPO, 
these principles must not be contravened by data users unless expressly allo- 
wed under the Ordinance. The PDPO provides for various criminal offences 
and civil remedies, as well as for the establishment of the PCPD. Both of these 
will be discussed further in the following paragraphs. 


3.1 Enforced compliance 


The PDPO provides a comprehensive statutory framework for data protection 
in Hong Kong. Section 64 of the PDPO sets out a long list of criminal offen- 
ses under the PDPO, punishable by fine and/or imprisonment. With regard to 


321 


civil sanctions, section 66 provides that any individual who suffers damage by 
reason of a contravention a requirement under the PDPO by a data user which 
relates to personal data of that individual shall be entitled to compensation 
from that data user. It is specifically provided that such damage may include 
injury to feelings. Pursuant to section 66(3) of the PDPO, it is a defence to 
show that the data user had taken such care as was reasonably required to avoid 
the contravention concerned. 

Overseeing the Hong Kong data protection landscape is the PCPD, who 
is empowered by the PDPO to monitor and supervise compliance with the 
PDPO, conduct inspections, carry out investigations and handle complaints. 
Case notes on the complaints dealt with by the PCPD can be found on the PCP- 
D’s website at www.pcpd.org.hk. In addition to discharging these functions, 
the PCPD has issued Codes of Practice on diverse matters such as identity card 
numbers, human resource management and consumer credit data. Pursuant to 
section 13 of the PDPO, non-compliance with these Codes do not of themse- 
Ives render the data user liable to any civil or criminal proceedings, but a bre- 
ach of a Code would give rise to a presumption against the data user in legal 
proceedings under the PDPO. 

While the legislative framework in the form of the PDPO obviously in- 
volves enforced compliance, an important qualification must be noted in re- 
spect of the Data Protection Principles, which are the core of the PDPO. 
Berthold & Wacks (2003) have noted that “an unusual feature of the Ordinance 
is that a contravention of any provision other than the data protection princi- 
ples is a statutory offence” (p.365), and that in view of the lack of precision of 
the Data Protection Principles “it was not thought appropriate to attach crimi- 
nal sanctions” (p. 365) to them. There is thus a focus on compliance with the 
spirit of data protection as embodied within these relatively loosely drafted 
principles. While a data user may face civil claims for compensation under 
section 66 of the PDPO as a result of non-compliance with the Data Protection 
Principles, the crucial additional “stick” in the form of criminal sanctions for 
such non-compliance is absent. 

It is also important to note that the overall approach of the PCPD has 
generally been characterized as conciliatory rather than confrontational. The 
PCPD Mr Roderick Woo noted in a speech at the Hong Kong Translation So- 
ciety Luncheon Talk on 22 July 2006 (the “22 July 2006 Speech”) that “tradi- 
tionally, (the PCPD had) tended to err on the side of conciliation” and had 
“gone for mediation over confrontation”. 


3.2 Public consultation 


Data protection laws in Hong Kong were only imposed after a full study had 


322 


been carried out. The comprehensive consultation process was detailed in the 
report by the Law Reform Commission entitled “Reform of the Law Relating 
to the Protection of Personal Data”. Members of the sub-committee studying 
the issue included representatives from the telecommunications and banking in- 
dustries as well as from the press. Submissions on the consultative document 
were received from more than eighty organisation and individuals, including 
commercial firms and professional bodies. 

The PCPD has continued this emphasis on public consultation. The va- 
rious consultation papers issued by the PCPD may be found on its website at 
www.pepd.org.hk. For example, on 22 May 2007, the PCPD issued a consul- 
tation paper to seek the public's views on the proposed amendments to the Code 
of Practice on Consumer Credit Data. The PCPD in turn is empowered under 
section 8(1)(d) of the PDPO to examine any proposed legislation that may af- 
fect the privacy of individuals in relation to personal data, and to report the re- 
sults of that examination to the person proposing the legislation. An instance 
of the PCPD responding to consultation papers issued by other organisations 
is the PCPD’s letter on 26 April 2007 (available on the PCPD’s website) in re- 
sponse to a consultation paper issued by the Commerce, Industry and Techno- 
logy Bureau entitled “Copyright Protection in the Digital Environment”. 


3.3 Public education 


The PCPD has placed much emphasis on educating data subjects and users of 
their rights and obligations under the law. On the PCPD’s website is a wealth 
of informative notes and leaflets, an on-line self-training section for members 
of the public to be educated about the PDPO, and a privacy zone for young- 
sters. Various promotional activities and exhibitions are also conducted to im- 
prove public awareness of privacy issues. 

Lessig (1999) has argued that societal norms play a part in the regula- 
tion of behaviour. The public education efforts of the PCPD go some way to- 
wards shaping these norms. However, it is appropriate this juncture to look 
further back in time at the philosophy of Confucius (the influential Chinese 
scholar), to consider how his theories might impact on the discussion of regu- 
latory options, and indeed on the notion of privacy as a whole. A look at Con- 
fucian values is particularly important at this time, there has been a recent 
resurgence of interest in the works of the great sage in Chinese society. 


323 





4. Confucianism, Privacy & Regulation 


“Virtue is not solitary. It is bound to have neighbours.” 
Confucius (551-479 B.C.)(as translated in Dawson, 1993 p.15) 


“Communists dust off Confucius amid upheaval of rapid growth” announced 
the headlines of an article by Peter Ford published on 12 July 2007 in the South 
China Morning Post. The article continues: “For nearly a century the ancient 
sage was confined to the intellectual doghouse in the land of his birth. But 
today he is fast catching up with communism as the mainland’s rulers, busi- 
nessmen and ordinary citizens turn back 2,500 years to (Confucius’) teachings 
to help them cope with the economic and social changes wracking the coun- 
try”. It appears that China, in looking to Confucius, is seeking a moral compass 
to guide her people along the tricky paths of economic development and social 
change. Here in Hong Kong, the influence of Confucianism is palpable. Con- 
fucius is well-known in Hong Kong and devout followers celebrate his birth- 
day. A British colony until 1997 when she was returned to Chinese rule, Hong 
Kong remains a successful financial centre, with English still being widely 
used in the commercial world. However, beneath this westernized and capita- 
listic exterior, the influence of China and all things traditionally Chinese (inc- 
luding the values of Confucianism) can be strongly felt. 

Are Confucian values the antithesis of privacy? At first glance, the no- 
tion of privacy and the values espoused by Confucius do not appear to sit well 
with each other. Confucius emphasized the importance of social harmony, with 
resulting from every individual knowing his place in the social order and ful- 
filling his part. Deference, filial piety, respect for elders and social obligation 
all feature strongly in Confucian’s teachings. 

In contrast, the notion of privacy is in many ways an individualistic con- 
cept. Warren & Brandeis (1890) in their seminal paper “The Right to Privacy” 
characterized privacy as the right to be let alone. More recently, Weinstein 
(1971) described privacy as “a condition of being-apart-from-others” (p. 88). 
The profound importance of privacy has been detailed in many works of 
literature. For example, in her celebrated piece “A Room of One’s Own”, 
Virginia Woolf stressed the importance of privacy as one of two necessary 
factors for the development of female writers of excellence. In her view, a 
woman had to have money and a room of her own if she was to write fiction. 
Why is privacy importance? Privacy offers an individual space to collect and 
formulate his thoughts and ideas. Personal privacy provides the path for 
creative work, as well as spiritual contemplation. Amongst individuals, privacy 
is necessary for sharing of personal thoughts and ideas, leading to the 
development of deep friendship and intimacy. 


324 


It thus appears at first glance that privacy and Confucian values are 
entirely at odds with each other. However, a closer look at the teachings of 
Confucius reveals certain aspects of Confucian philosophy that are in fact 
congruent with the idea of privacy protection. Confucius taught the importance 
of courtesy. Is the instinctive disapproval of an overly intrusive and insensitive 
press taking photographs of disaster or accident victims not founded on a belief 
that such behaviour violates common courtesy? Confucius also emphasized 
culture and personal mental development. While not directly related to privacy, 
one of the reasons why privacy is recognized as important is that it allows an 
individual time and space to process and develop his thoughts and views. As 
Weinstein (1971) stated: 


“Some minimum grant of privacy for each person is morally necessary 
if only because contemplation is a part of the good life. The human being 
who understands the full range of his consciousness will be more fit to 
participate as a full person in his social relations than one who does not 
have such knowledge” (p.104) 


Thus insofar as Confucius emphasized the cultivation of one’s mind, 
Confucian values do indirectly embrace the idea of privacy, as some degree of 
privacy is arguably necessary to allow an individual time and space for such 
personal mental cultivation. 

With respect to regulation, Confucius took the view that in order to gov- 
ern others there must first be effective self-governance. As stated in The 
Analects of Confucius (as translated in Dawson, 1993), “The practice of gov- 
ernment by means of virtue may be compared with the pole-star, which the 
multitudinous stars pay homage to while it stays in its place.” (p.6) The idea 
was that the leader’s personal goodness would then influence his nation in a 
positive way. The emphasis is on moral integrity and leading by example, rather 
than the employment of positive laws as a means of maintaining social har- 
mony. As stated in the Analects of Confucius (as translated in Dawson, 1993): 
“If you lead them by means of government and keep order among them by 
means of punishments, the people are without conscience in evading them. If 
you lead them by means of virtue...they have a conscience and moreover will 
submit.” (p.6) The parallel with self-regulation is clear, as both contemplate 
an absence of positive law. However what Confucianism may add to the dis- 
cussion of modern day data protection is the emphasis on leading by example. 
While data protection may have limited effectiveness in the absence of posi- 
tive laws, public officers leading by example will certainly add moral weight 
to data protection legislation. In fact, leading by example may be seen as a sub- 
set of public education and publicity. As stated in the Bible, “Even a child 


325 





makes himself known by his doings, Whether his work is pure, and whether it 
is right.”(Proverbs 20:11) 

In Hong Kong, there appears to be an unarticulated but clear emphasis 
on the Confucian idea of inculcating values by influence and example. The 
PCPD alluded to some success in “influencing the public sector of the need to 
lead by example in terms of their personal data privacy policies” in his 22 July 
2006 Speech. This approach directly echoes Confucius’ view of government by 
virtue and influence. However, the leakage of personal information of more 
than 20,000 people who had lodged complaints against the Hong Kong police 
over the past decade (which will be discussed in more detail later) suggests 
that the public sector still has some way to go in the area of privacy protection. 


5. Recommendations 


We have considered Hong Kong’s data protection regime through the lense of 
three regulatory variables, namely, enforced compliance, public consultation 
and public education, and also seen how Confucianism may contribute to the 
discussion on regulatory approaches. The efforts made in the areas of public 
consultation and education are commendable and should be continued. Ho- 
wever, it is suggested that this alone is insufficient for the adequate protection 
of data privacy in Hong Kong. In particular, further improvements should be 
made in the area of regulatory compulsion. 

Indeed, it is suggested that the time has come for a tougher overall 
stance to be taken in the protection of privacy. The PDPO came into force in 
December 1996, more than a decade ago. Any excuse that the public is unfa- 
miliar with the importance or the notion of data protection is unpersuasive. 
Hong Kong needs to have a robust data privacy regime in order for it to main- 
tain its credibility as an international financial centre. As stated the report by 
the Law Reform Commission of Hong Kong on “Reform of the Law relating 
to the Protection of Personal Data”: 

“If Hong Kong is to retain its status as an international trading centre, it 
is vital that it participates in the burgeoning international exchange of perso- 
nal data. Increasingly, its capacity to do so will depend on its satisfying other 
countries that it offers an adequate level of legal recognition of the data pro- 
tection principles.” (paragraph 5.7) 

Several specific recommendations flow from this point, which are for 
the consideration of legislators, the PCPD and other interested parties (such as 
the Hong Kong Department of Justice). The first relates to the criminal sanc- 
tions for contravention of a Data Protection Principle. As earlier discussed, in 
view of the lack of precision of the Data Protection Principles, it was thought 
inappropriate to attach criminal sanctions to them. Indeed, it is specifically 


326 


provided in section 64(10) of the PDPO that contravention of any requirement 
of the PDPO other than a Data Protection Principle is an offence. 

It is only by an indirect and roundabout way that criminal sanctions 
might attach to contraventions of the Data Protection Principle. Pursuant to 
section 50 of the PDPO, the PCPD may serve an enforcement notice on a data 
user if he is contravening a requirement under the PDPO, or if he has contra- 
vened such a requirement in circumstances that make it likely that the contra- 
vention will continue or be repeated. Section 2(4) of the PDPO specifically 
clarifies that references to the effect that a data user has contravened or is con- 
travening a requirement under the PDPO includes contravention of Data Pro- 
tection Principles. Accordingly, if an enforcement notice is served on a data 
user and if that data user contravenes the enforcement notice, he commits an 
offence under section 64(7) of the PDPO. However, it is a defence under sec- 
tion 64(8) of the PDPO for the relevant data user charged with such an offence 
to show that the data user exercised all due diligence to comply with the en- 
forcement notice concerned. 

The Data Protection Principles (as the name implies) seek to embody 
the spirit of various aspects of data privacy. They are thus necessarily crafted 
in looser terms. To take Data Protection Principle 1 as an example, it is pro- 
vided therein that personal data must be collected by means that are “fair” and 
that the data collected must be “adequate but not excessive”. The attachment 
of criminal sanctions to the breach of the Data Protection Principles would thus 
be inappropriate in view of such loose formulations (as earlier discussed). 

The situation however, appears to be quite different in relation to en- 
forcement notices under the PDPO. Section 50(1)(iii) of the PDPO provides 
that the enforcement notice is to “(direct) the data user to take such steps as are 
specified in the notice to remedy the contravention or, as the case may be, the 
matters occasioning it” within a prescribed period. Further, pursuant to section 
50(3) of the PDPO, “the steps specified in an enforcement notice to remedy any 
contravention or matter to which the notice relates may be framed (a) to any 
extent by reference to any approved code of practice; (b) so as to afford the re- 
levant data user a choice between different ways of remedying the contraven- 
tion or matter, as the case may be.” It is apparent that, in contrast with the more 
general approach in the Data Protection Principles, a higher degree of clarity 
is contemplated in the framing of the enforcement notice, and the steps therein 
that the data user must take. In view of this, it is suggested that there is no ne- 
cessity for the defense in section 64(8) of the PDPO that provides the data user 
with a defense if he takes all due diligence to comply with the enforcement 
notice. Once an errant data user receives an enforcement notice he should com- 
ply with the steps specified therein or face criminal sanctions accordingly. This 


327 


strict liability approach would provide greater motivation to errant data users 
to take enforcement notices seriously. It follows from this that in crafting the 
enforcement notice, the steps specified therein should be clear, specific and re- 
asonable. This should not pose difficulty since, unlike Data Protection Princi- 
ples which are addressed to the “world at large”, an enforcement notice is 
directed at a particular data user to remedy a particular breach, and thus can be 
crafted with specificity in the light of the facts. 

The second recommendation also relates to criminal prosecution. 
Under the current data protection regime the PCPD is not empowered to carry 
out prosecutions. Rather, the PCPD must refer suspected contraventions to the 
Secretary for Justice who then decides whether to prosecute. This approach 
differs from that in the United Kingdom where the Information Commissioner 
may carry out prosecutions. The problem with the Hong Kong approach was 
vividly illustrated in the leakage of personal information of more than 20,000 
people who had lodged complaints against the Hong Kong police over the past 
decade. It has been pointed out that as the PCPD does not have the power to 
prosecute contraventions of the PDPO, prosecution would be conducted by the 
police, which was inappropriate given that the complaint involved police con- 
duct (Maurushat, 2006). The PCPD Mr Roderick Woo was also reported to 
have said that if the PCPD were to be granted the power to prosecute, “it would 
save a lot of time and effort” (Kwok, 2006). There thus appear to be cogent re- 
asons for expanding the role of the PCPD to the prosecution of offences under 
the PDPO. 

Civil remedies are another facet of regulatory compulsion, in that data 
users are more likely to be deterred from contravening the PDPO if doing so 
might expose them to civil claims. It has been noted that the PCPD is not em- 
powered to assist citizens in litigation (Maurushat, 2006). In this regard, in- 
spiration may be drawn from section 53 of the United Kingdom Data 
Protection Act 1998, pursuant to which the Information Commissioner may 
provide assistance in civil claims in certain specified circumstances and if they 
involve matters of “substantial public importance”. It is suggested that empo- 
wering the PCPD to assist in civil litigation in matters of substantial public im- 
portance may serve as an encouragement for litigants to bring forth such 
claims. In addition, this might contribute to the development of a greater body 
of local case law on data protection. 

The overarching thrust of these proposals is a gradual move away from 
the conciliatory tones of present data protection regime to a more confronta- 
tional stance. Given that both criminal and civil litigation are conducted pu- 
blicly, data users will find it harder to avoid bad publicity arising from the 
breach of data protection laws. Berthold & Wacks (2003) have pointed out that 


328 


these “reputation costs” (p. 397) would serve as an incentive for greater com- 
pliance. The PDPO has been in force since December 1996, some while ago. 
Far from being an unknown and foreign concept, data protection is now a rec- 
ognized and familiar notion in Hong Kong. A multi-pronged approach is thus 
required, with public education and consultation continuing alongside robust 
enforced compliance. As data privacy is critical for trust in e-commerce and on- 
line transactions, a comprehensive and effective data protection regime is an 
important dimension in the overall legal infrastructure of Hong Kong. In the 
words of the PCPD Mr Roderick Woo in his 22 July 2006 speech: 


“If, after nearly 10 years of privacy legislation, data users persist in 
practices that demonstrate blatant irresponsibility concerning their legal 
obligations to protect personal data then it is time to evaluate other op- 
tions.” 


References 


1. Berthold M. & Wacks R. (2003) Hong Kong Data Privacy Law — Territorial Regula- 
tion in a Borderless World. Sweet & Maxwell Asia. 

2. Cannataci J.A. & Bonnici J.P.M. (2002) Can self-regulation satisfy the transnational 
requisite of successful Internet regulation? Retrieved 22 August 2007 from www.bi- 
leta.ac.uk. 

3. Chik W (2005) The Lion, the Dragon and the Wardrobe Guarding the Doorway to 
Information and Communications Privacy on the Internet: A Comparative Case Study 
of Hong Kong and Singapore — Two Differing Asian Approaches, IJLIT Vol.14 No. 
1. 47-100. 

Dawson, R. (1993) Confucius — The Analects. Oxford University Press. 

5. Fan, M. (July 24, 2007) Confucius making a comeback in money-driven modern 
China. Washington Post Foreign Service. 

6. Ford, P. (July 12, 2007) Communists dust off Confucius amid upheaval of rapid 
growth. South China Morning Post. 

7. Hong D. & Lee D. (2007) Protecting Privacy in an ever-changing technological land- 
scape: Hither, Thither, Whither. Retrieved 22 August 2007 from Inter Se Online at 
www.sal.org.sg 

8. Kwok, L. 14 March 2006. Human error culprit in police files net leakages. The Stan- 
dard. 

9, Law Reform Commission Hong Kong (1994) Reform of the Law Relating to the Pro- 
tection of Personal Data. 

10. Lessig L. (1999) Code and Other Laws of Cyberspace. Basic Books. 

11. Lundblad N. & Kiefer A. (2002) The Economic Efficiency of Self-regulation — Two 
Case Studies. Retrieved 22 August 2007 from www. bileta.ac.uk. 

12. Maurushat A. (2006) Who let the cat out of the bag? Internet data leakages and its im- 
plications for privacy law and policy in Hong Kong. 36 HKLJ7 

13. National Internet Advisory Committee (Legal Subcommittee) (Singapore) (2002) Re- 
port on a Model Data Protection Code for the Private Sector. 


329 





18. 


Sinclair D. (1997) Self-regulation versus command and control? Beyond False Di- 
chotomies in Law & Policy Vol. 19, No. 4, 529-560 


Warren & Brandeis (1890) The Right to Privacy. 4 Harvard Law Review 193. 
Weinstein M.A. (1993) The Uses of Privacy in the Good Life. Nomos XIII 88-104. 


Speech by PCPD Mr Roderick Woo at the Hong Kong Translation Society Luncheon 
Talk on 22 July 2006. Privacy and the Development of Privacy Rights in Hong Kong. 
Retrieved 22 August 2007 from www.pcpd.org.hk. 


Woolf V. (1929) A Room of One’s Own. Harcourt Brace Jovanovich 


Acknowledgments 


The author would like to thank Dr. Rebecca Wong of Nottingham Trent University for 
her helpful comments on an earlier draft of this paper. All errors however remain the 
sole responsibility of the author alone. 


330 


Privacy protection and the right to information: 
in search of a new symbiosis in the information age 


Pieter Kleve and Richard De Mulder 
Prof. R.V. De Mulder and dr. P. Kleve work at the Centre for Computers and 
Law, 
Faculty of Law, Erasmus University Rotterdam 


kleve@law.eur.nl; demulder@law.eur.nl 


Abstract . The dichotomy between personal privacy and free 
access to information, which has come increasingly to the fore with the 
advance of information technology, justifies a reconsideration of these 
traditional values and interests. In this article, it is contended that pri- 
vacy, as a constitutional right, is subject to changing norms as a result of 
the advent of the information society. In today’s information society, ci- 
tizens weigh the importance of protecting privacy against the advanta- 
ges of free access to information. The criterion they use is a rational one: 
an evaluation of which option provides the individual with the most be- 
nefit. The protection of privacy is no longer an unconditional good. For 
state organisations to champion privacy at any cost is, therefore, out of 
step with this development. A new balance has to be established between 
the citizen’s right to privacy and their right to know, taking into account 
this shift in values. In order to prevent on the one hand overzealous pro- 
tection and, on the other, the abuse of information, it is necessary to set 
up the monitoring function in a new way. 


1. The world has changed (1) 


Information technology is fundamentally changing society as we know it. A 
new era has arrived: the information age. This is the most obviously apparent 
in communications. Events from all over the world can be relayed by the mass 
media within the shortest time. It has deeply affected economics: markets have 
become global. Indeed it would not be an exaggeration to describe the world 
as one market place. These changes appear to have brought economic progress 
to the western world. Even former communist countries have converted to mar- 
ket economies. Exchanging goods and services via the market mechanisms in- 
stead of by controlling polices has been shown to be more advantageous. Some 
commentators are so convinced of the triumph of the liberal democratic state 
that the “end of history” has been announced. [1] 

The exchange of information is a characteristic of the market. If this in- 
formation exchange becomes easier and cheaper, then the markets will func- 
tion even better and become ‘global’. Information directs the processes. 


331 








However, information is more than this: it has also become a primary product. 
In societies saturated with material goods, the information industry has begun 
to have a huge influence on our behaviour. The same tendency, however, can 
be seen in less materially affluent lands. 

At the same time, ‘marketing thinking’ has made huge headway. Busi- 
ness administration has gone through a process of becoming more scientific 
and technologically advanced. The successful businessman is therefore a ra- 
tional and well-informed decision-maker. When a manager consults a lawyer, 
he can hardly be expected to be happy if the lawyer answers “it might not pose 
any problems” or “we might win the lawsuit”. Lawyers can expect their clients 
to become more critical. If a client has to decide whether to start an action, he 
needs certain information. For example, a client expects to be a € 100,000 ri- 
cher if he wins the action. Before he decides to sue he will want to know what 
the legal or other procedural costs are (lets say € 70,000) as well as the chan- 
ces of winning the suit. There is no point in proceeding unless the probability 
of success is at least 70%. The manager will require a sufficiently reliable es- 
timation of this probability before deciding to take the case to court. 

In the modern economy, marketing, production management and finance 
are influenced by rational decision-making. Modern managers talk in terms of 
expenditure and profit, and of the probability of occurrences taking place. De- 
cisions are made on the basis of knowledge of these variables in the past and 
the expectations about them in the future. 


1.1 Globalisation 


Technology has increased mobility and thereby accelerated the process of glo- 
balisation. Not only can people travel more quickly from place to place, but 
communication has become much easier and faster with the advent of Internet 
and the mobile phone. The world order as we have known it is changing and 
that makes directing, controlling, enforcing traditional norms or obtaining an 
overview of society in general more difficult. Change brings uncertainties with 
it. 

In studying how people behave, an initial analysis reveals that rationa- 
lity plays a role here too. In this respect, a revolution has taken place over the 
last ten to twenty years. We are referring here to the paradigm (according to 
Kuhn) [2] that can be used to study human behaviour, and to try to explain, 
predict and direct it. Many social scientists base their research on a sociologi- 
cal model of man. This model states that people will behave in a way consistent 
with the norms of the group to which they belong. However, modern econo- 
mists usually use a different model of man, the homo economicus or the REMP 
(the resourceful, evaluating, maximising person). [3] Processes are studied 


332 


from the perspective of methodological individualism, in other words descri- 
bed, explained and predicted on the basis of the behaviour of individuals. The 
REMP is an individual who tries to maximise his own utility in all his decision- 
making. Ideologically, that may sound undesirable. However, in practice it is 
often the case that individuals see their own interests are served by taking 
others into account and by interacting with the outside world in a creative and 
anticipatory way. Negotiation is natural for the REMP. 


2. Changing norms and concepts (1) 


The REMP is a relatively new concept. The rational model of man appears to 
have become the dominant way of thinking. Emotions, norms and values, even 
irrational elements, seem to be subject to radical changes. For example, the 
ideas about privacy appear to have changed. In the recent past, it would be 
unacceptable for many people to show their naked bodies, or naked emotions 
for that matter, to other people. At the same time it would be immoral or at 
least “not done” to observe these things other than under specific circumstan- 
ces, such as in a doctor-patient situation, or as a form of art. These days, pe- 
ople show their emotions and bodies to mass audiences and seem to feel 
perfectly happy with it. A related concept, anonymity, is also subject to diffe- 
rent norms and values. Some people claim that they have a right to anonymity 
as well as a right to take on a different identity, for example while surfing the 
internet and chatting with others. 

This shift in norms is evident in various situations. Freedom of infor- 
mation and intellectual property are clearly seen in a different way from in the 
past. The Internet has made it very easy to infringe the intellectual rights of 
others and at the same time many of those who would have been seen as cri- 
minals in the past, are now claiming their ‘freedom of information’. The ava- 
ilability of information allows the reliability of accountants and firms, for 
example, to be challenged, as well as the enormous salaries and option plans 
for some managers in businesses and even in ‘privatized’ state bodies. On a 
perhaps somewhat cynical note, although war is nothing new, it now seems to 
be acceptable, to some at least, that thousands of civilians are killed during mi- 
litary operations to ‘bring democracy’ to other nations. 


3. New legal questions in the ‘information society’ 


Information technology has, without doubt, made an impact on society. Tech- 
nological advances, in general, have been considerable over the last 150 years. 
It is a period that has seen the Industrial Revolution superseded by the Infor- 
mation Revolution. Technological applications are numerous and various, and 


333 


have become integral to the society we know today. That technology is used for 
the processing of personal data is, in this context, not extraordinary. Indeed, its 
application is rather obvious given that the techniques are easily applied and 
that society as a whole has acquired a more technically orientated character. 

In the graph below the idea is expressed that the actual impact of tech- 
nology on society is far greater than perceived by most people. Furthermore, 
the discrepancy between actual and perceived impact is growing. 

Technology has also affected people at an individual level. That there are 
more and more options open to people, and more and more information, makes 
it necessary for people to approach decision-making rationally. Increasing we- 
alth and economic independence have prompted a process of individualisation. 
Traditional social structures have become less a matter of course, indeed they 
are sometimes experienced as obstacles in the way of reaching individual goals. 
The rational model of man is arguably now the best predictor of human beha- 
viour. [4] 


= Actual 
wma Perceived 


Iniporlance 


| 


Time 


The question that arises is whether the information society is simply a 
modern term meaning nothing more than an increase in information together 
with an increase in global distribution and access possibilities, or whether a 
more fundamental change is taking place. This question is imortant because 
fundamental changes demand creative and, in particular, unorthodox appro- 
aches to new social issues. 

Four stages can be pinpointed in the development of technology:[5] 

The first stage is characterised by the ability to influence spatial struc- 
tures, for example building a hut or a house. 

The second stage consists of the possibilities for changing spatial struc- 
tures, for example the wheel or hinged doors. 

The third stage gives the possibility to control the powers that are ne- 


334 


cessary to bring things into motion. The invention of the steam engine anno- 
unced the age of the ‘Industrial Revolution’. 

The fourth stage offers the possibility of using the energy stored in an ar- 
tefact to allow the artefact to start or stop itself etc. 

The information age can be associated with the fourth stage in the de- 
velopment of technology. It is characterised by the ability of machines to pro- 
cess information — something that formerly only people (and animals) could do 
— just as the third stage was characterised by the ability of machines to per- 
form labour. The computer is to information processing what the steam engine 
was to the use of energy in artefacts. For this reason, this age is referred to as 
the ‘Information Revolution’. It should be clear, that the answer to our question 
is that the information society is essentially new because nowadays also ma- 
chines can interpret data. 

The information society has brought with it many new questions, which 
arise in various areas. These questions range from those on intellectual pro- 
perty, such as the legal protection of software, chips and data, to so-called ‘e- 
business’, with its implications for commercial and contract law, into criminal 
law, with concerns for enforcement and cross border issues, to questions con- 
cerning privacy, which is the subject of this article. 

Although, given the nature of the technology, these questions may be 
new, not all of them raise new legal issues. It is, therefore, not the case that all 
the new questions which arise from the information society need to be dealt 
with by new laws. It should not be an automatic reflex for lawyers to resort to 
legislation when confronted with new questions. A balanced approach would 
first dictate an examination of which legal domain would be the most appro- 
priate to look for a solution. Then existing legal rules could be consulted. The 
next step would be to examine the applicability of these legal rules by making 
use of existing doctrinal interpretation. Only then, if the conclusion is reached 
that an interpretational method would fail to secure a responsible and desira- 
ble application of the rule, should the issue of new legislation be raised. If, as 
a last resort, a decision is made to amend the law, another issue should be exa- 
mined. Does the desirability of a new law stem from the incompatibility of 
principles or terminology in the existing law with the new factual situation, or 
does it arise from social developments themselves and a shifting, or even a 
transformation, of the norms and values behind those principles and termino- 
logy? With respect to the latter option, this is not so often the case although the 
chance of such a shift is greater where the paradigm has altered and where 
there have been radical technological developments. That is, however, the po- 
sition at present. 

If this approach to legislative initiative is taken into account, then it is 


335 





rather surprising that in the last few decennia so many new laws have come into 
force as a consequence of information technology. Examples of law that would 
have not survived the first stage would be the software, chips and database 
laws. These new laws have not achieved anything that the application of exi- 
sting laws to the new questions could not have achieved. Take the law on elec- 
tronic signatures, for example, where the presumption was made that the 
terminology of the old law was incompatible with the new factual situation. 
However, had existing doctrinal interpretation been applied (an ‘electronic si- 
gnature’ is still a signature), these new laws would simply have been super- 
fluous. Examples of the shifting of norms can be found in software and 
database laws and in file sharing and spam. With respect to software and da- 
tabase laws, when intellectual property laws were declared applicable to so- 
ftware and database, in the slipstream an implicit shifting of norms was 
implemented. In the case of software, this has taken the form of a clause for- 
bidding decompilation, and for databases a de facto extension of the exploita- 
tion rights with a use right. [6] These are actually examples of a shifting of 
norms where it is not clear if this had been sufficiently realized. As to file sha- 
ring, this is an example of a social development which inevitably have to lead 
to a shift in norms in the form of an exception to copyright rules in order to 
allow copying (in the broad sense of reproduction and transformation) for pri- 
vate use. [7] 

The answer to spam is, of course, ‘white listing’ not legislation. By white 
listing is meant that people may use the technology to decide for themselves 
who has access to their communications. The increase in spam will make white 
listing, allowing access to ‘known senders’, more attractive than the nowadays 
frequently used option of black listing, the method of blocking ‘undesired sen- 
ders’. [8] Why is white listing the obvious answer to spam? That has to do 
with the fundamental characteristic of the information society, namely that in 
the fourth stage of the development of technology machines can also interpret 
data. Until the advent of this fourth phase, white listing was simply not an 
option because this could not be achieved effectively. The information society 
has made a fundamentally new problem solving system possible, one that we 
are discovering the possibilities of step by step. 


336 


The consecutive dependence relationships between technology, social 
developments and law are represented in a model. 







technology 






emp/business 
adminisration 


The model consists of three concentric circles. 


The basis for this model is positivism, in other words that one reality exists 
and that that reality can be known. The outer circle encircles ‘can’, the tech- 
nology. The middle circle covers that which people ‘want’, within the limits of 
what is possible, using the REMP as the model for describing, predicting, 
explaining and steering human behaviour. As a multidisciplinary science, bu- 
siness administration offers a structure to obtain insight into (individual) uti- 
lity considerations. Finally, the inner circle is the domain of law, of ‘may’ (and 
‘must’) of demands and authorisations, of norms and facilitation. Law is an 
artefact for the facilitating of human interactions, for example in the form of 
‘property’, ‘majority’, ‘marriage’, ‘purchase’. Through fixing norms and sanc- 
tions it delineates the external boundaries of human ‘want’. Law can steer 
‘want’, but is not decisive, and is itself limited by ‘can’. 


4. Changing norms and concepts (2) — The privacy concept 


In an article by Warren and Brandeis, written at the end of the nineteenth cen- 
tury, a definition of privacy was laid down based on a definition by Judge Co- 
oley. [9] That definition, the ‘right to be left alone’, is still the current one. 
Warren and Brandeis describe the development of the concept of privacy from, 


337 





at the outset, the protection of life and property towards the recognition of 
men’s spiritual nature, of his feelings and his intellect: “the right to life has be- 
come the right to enjoy life [...] and the term ‘property’ has grown to com- 
prise every form of possession, intangible as well as tangible”. Thoughts, 
emotions and sensations should be covered by a more general right to privacy. 

With respect to a general right of privacy, one school of thought is of the 
opinion that everything that a general law on privacy would protect, is actually 
already sufficiently protected by property laws, laws dealing with offences aga- 
inst the person and human rights, such as the right not to have private com- 
munication tapped. [10] For some, this offers a too limited vision of the concept 
of privacy. [11] Yet another school of thought considers that the influence of 
technology demands a more coherent legal concept of privacy, in which a broad 
scale of privacy problems can be designated. [12] However, what is intere- 
sting about the article by Warren and Brandeis is that it was written as a reac- 
tion to “recent inventions and business methods”. This referred to the growth 
of the ‘yellow press’, which was a consequence of the developments in pho- 
tography and printing, through which “Instantaneous photographs and new- 
spaper enterprise have invaded the sacred precincts of private and domestic 
life; and numerous mechanical devices threaten to make good the prediction 
that ‘what is whispered in the closet shall be proclaimed from the house-tops’.” 
When positioned within the above mentioned four stages in the development 
of technology, what attracts attention is that the elegy of Warren and Brandeis 
takes root in the transition into the ‘Industrial Revolution’, whereas we are now 
facing the transition into the ‘Information Revolution’. Major transitions ap- 
parently lead to strong reactions. The question that is posed in this article is 
whether such reactions belong to a time long since passed. In other words, isn’t 
privacy — the right to be left alone — rather a barometer of the level of techno- 
logical development then a universal and non-negotiable basic right? [13] 

An examination of social developments leads to the inevitable conclu- 
sion that since the time of Warren and Brandeis the ‘right to be left alone’ has 
been diminished. In a society that has become so complex, with so many rela- 
tions of interdependence, that conclusion is hardly surprising. Limitations on 
privacy are often associated with totalitarian regimes. However, an unlimited 
right to privacy could have made the present democratic state, with its rule of 
law and high living standards, equally impossible. A considerable number of 
laws are based on infringements of privacy in favour of the operation of the pu- 
blic administration, in order to enforce public order, safety and security. In ad- 
dition to this infringement of privacy with respect to the classic constitutional 
relationship between public authorities and citizens, there would also appear to 
be a similar tendency in the private sector. [14] 


338 


The ‘yellow press’ has become an important element of the amusement 
industry. Instead of the limitations proposed by Warren and Brandeis, this form 
of operation has now spread to the television and the Internet. Apart from the 
philosophical and principled question of whether there is such a thing as a uni- 
versal and inalienable right to privacy, in practice it would seem such a pro- 
position is unrealistic. To take part in modern society, the citizen is expected 
to have a job, a bank account, a social security number and health insurance, 
details of all of which may have to be provided to various other parties. En- 
forcement of the right to be left alone seems to be confined to situations where 
freedom of movement is at issue. In the classic constitutional relationship, this 
comes to the fore in matters such as freedom of the press, freedom of associa- 
tion and meeting, the freedom to gather information. With respect to the hori- 
zontal operation of constitutional rights — the relation between citizens — it 
affects such matters as aggravated assaults, or threats of violence, harassment 
and stalking, libel and slander. 

Westin gives a very broad definition of the concept of privacy: “privacy 
is the claim of individuals, groups or institutions to determine for themselves 
when, how, and to what extent information about them is communicated to 
others”. [15] Westin even goes as far as to ascribe to institutions a personal life. 
That is remarkable given legal persons normally have a more onerous duty to 
make certain matters public than private person (for example compulsory re- 
gistration, in some countries a minimum level of share capital, and financial ob- 
ligations). This definition is, however, of particular interest in this article 
because Westin lays the emphasis on communication. His definition seems to 
have taken shape with the rise of telecommunication and the possibilities for 
tapping these communications. It is also interesting because it can be conside- 
red representative of the way in which the concept of privacy was approached 
in a time in which many countries implemented specific privacy laws (for 
example, to regulate tapping) as well as more general laws in the form of data 
protection acts. Whether such laws are practical and/or desirable is a matter 
that will be dealt with below. 

The increased attention for privacy issues seem to have been influenced 
by technological developments, with privacy moving from a feeling to a more 
technocratic concept, which in turn is reflected in the legal approach. The more 
difficult to determine concept of normative privacy now partly overlaps the 
less controversial concept of data protection. [16] The data protection concept 
is based on formal rules regulating how data is dealt with, without these being 
placed in a substantive or normative framework. That the concept of privacy 
is being diminished is reflected in the popular ‘analytical approach’, in which 
privacy is divided up into a spatial dimension, a physical dimension, a relatio- 


339 


nal dimension and an informational dimension. Both developments reveal a 
shift in the way in which the concept of privacy is experienced; privacy appe- 
ars to be a difficult concept. Below a number of illustrations will be given. 

If freedom of movement, the right to go and to stay where one pleases, 
is considered to be an important element of the spatial dimension of personal 
privacy, then the question arises whether the present extensive checks on bag- 
gage and persons at airports, the information demanded by the American au- 
thorities (where travel to the USA is concerned) is an infringement of personal 
privacy or a condition for it. If, consequently, some of the physical aspects of 
privacy are examined, then it becomes clear that the measures taken to protect 
the safety of persons and goods are, in principle, measures that promote pri- 
vacy. 

With respect to relational privacy, what is immediately apparent is the 
considerable number of dating programmes on television, dating agencies, the 
phenomenon of ‘speed dating’ via Internet and sms and the multitude of ‘news 
groups’ and chat sites. Put against a backdrop of informational privacy, the pic- 
ture emerges of a shameless exhibitionism hand in hand with an equally sha- 
meless voyeurism. Without any apparent embarrassment, the most intimate 
details exchanged on a mobile phone are shared with others, often random fel- 
low travellers or those who just happen to be in the lift at the time of the call. 
Similar intimacies, only now with images, can be encountered on countless 
personal home pages and webcams. 

Once ‘Big Brother’ was a nightmare scenario, set in a future, technolo- 
gical world. Now various countries know it as a television programme. Tele- 
vision has become beset by reality shows and live soaps. Web logs en gossip 
are both information as well as entertainment. Given this context, the decision 
of the European Court in the Lindqvist case seems to have come from a diffe- 
rent universe. [17] In the first place, the use of her personal page to describe 
the activities of several of her colleagues — in the phrasing of the Court, “in a 
mildly humorous manner” — is just contemporary use of modern communica- 
tion means, similar in manner to the way in which nowadays millions of pe- 
ople set up there personal pages. Secondly, when actions carried out with the 
help of computers are characterised as ‘processing of personal data’ in the sense 
of the data protection directive, [18] because they are carried out with the help 
of computers, this leads to the erosion of the whole concept behind the term 
‘processing’. Processing becomes a completely unworkable concept, which 
furthermore ignores the fact that processing is only one of the functions of a 
computer. [19] In informatics, processing means that input data is processed, 
whether or not together with other data, into new data; the input data is inter- 
preted by the computer (the fourth stage characteristic in the development of 


340 


technology). However, what is concerned here is the judging whether this sort 
of behaviour is or is not desirable and this consideration should affect the con- 
cept of privacy. 


5. The world has changed (2) 


Generally speaking, the most important factor in determining the development 
of society is technology. Knowledge of technology is, therefore, vital in order 
to describe, explain, predict and influence social developments. The advent of 
information technology has led to new aspects of society. 


5.1 Network society 


We live in a ‘network society’, a term that covers various types of relation- 
ships. For example, the economies of different countries become so intrinsi- 
cally linked that there is a high level of mutual dependence. Individuals may 
find it important to build up a substantial personal network. Businesses have 
to participate in networks, not just at a commercial/economic level, but also 
with respect to technology. Participation is survival. Businesses form so-called 
‘virtual organisations’. [20] 

The relevant technology in this respect is, of course, the Internet and the 
increasing convergence of the Internet with other forms of communication, 
such as telephone and television. Children are brought up with personal com- 
puters and a mobile phone. Apparently, information technology fulfils a need 
to be in contact with the outside world, a need that does not appear to be inhi- 
bited by considerations of privacy. A ‘right to participate’ seems to become the 
new constitutional right in the information society. 


5.2 Service society 


Modern societies are transforming from production societies to service socie- 
ties. In order to offer a service, it is necessary to know what potential clients 
want. This becomes increasingly difficult in an urbanised society. Furthermore, 
the mobility of both client and personnel makes such knowledge of a fleeting 
nature. In the information society, personal contact is often replaced by an 
exchange of electronic data. Information technology has made it possible to 
improve the level of services, but this can mean that citizens are faced with a 
choice between an improved service or protection of their private lives. The 
‘right to enjoy life’, once a consideration for privacy protection, [21] may now 
be a reason to surrender that protection. f 


341 


5.3 Knowledge society 


Society is not only in transition from a production society to a service society, 
but also to a knowledge economy. Knowledge allows increasing complex is- 
sues to be solved or better solutions to be find for less complex issues. The 
knowledge economy is reflected in the way products are developed and the 
way in which services are now provided. It plays a role in the way in which 
education is approached. 

Here again, it is the Internet which acts as the facilitating technology. In- 
ternet makes it possible to participate in chains of production and makes a 
whole variety of services available. The Internet also plays an important role 
in education, as well as influencing the way an individual gathers information. 
If ‘the development of the individual’ is considered to be one of the objectives 
of privacy protection, then a choice has to be made as to whether that deve- 
lopment will not be better achieved by using the Internet. 


5.4 Safety and security 


One opinion that is often voiced is that people find it unpleasant to be spied on 
and to know that their movements can be checked out later. However, when 
members of the public are asked if they would like to see more uniformed po- 
licemen on the street, the vast majority answer in the affirmative; most people 
apparently find a police presence on the streets reassuring. Is it, then, a qu- 
estion of finding the right balance: yes to surveillance in itself but no to su- 
rveillance in an extreme form? 

With respect to the relationship between privacy and safety, the question 
seems to be how much privacy are we prepared to surrender in order to incre- 
ase our safety? [22] When law students ask us what we think of the fact that 
the US National Security Agency secretly monitors Internet traffic using the 
Echelon program, our answer is what they would think if the US National Se- 
curity Agency would not do this. These two basic rights, the right to privacy 
and the right to protection, seem to be uneasy partners. However, the question 
itself is not as straightforward as it may seem. Why is it that most of us are 
perfectly prepared to have our baggage examined in airports but resent our past 
being looked into? And if our past was looked into, would the examination of 
our baggage no longer be necessary? Privacy and safety do not have to be op- 
posites, but the one can affect the other. It would be hard to think of something 
that was a greater infringement of a person’s privacy than having to undergo a 
body search, or having personal belongings searched, or even the threat of it. 

Constitutional rights have a special place in the relationship between the 
authorities and members of the public. Rights and freedoms are formulated 


342 








that are intended to protect citizens against the arbitrary use of power by the au- 
thorities. In the course of time, the concept of the horizontal working of con- 
stitutional rights has developed. The right to respect for personal privacy is not 
just between the authorities and the public, but also between members of the 
public themselves. In former times, it was necessary to protect citizens from the 
arbitrary behaviour of the authorities (or the monarch). Today, in the develo- 
ped democratic states of the West, it would seem that the ‘danger’ emanates not 
so much from the authorities, which are open to public review, but from those 
who reject authority. Fear restricts the movements of citizens, either because 
they are not sure if it is safe to take an airplane or the local metro, or to voice 
a possibly controversial opinion. It would now appear that it is often the au- 
thorities that champion constitutional rights, rather than being the body which 
could be guilty of flouting them. The question now before us is which aspects 
of privacy must weigh heavier in a given situation? The means used will de- 
pend upon how that question is answered. 

Another question that comes to the fore in determining whether some- 
one’s privacy has been infringed, is what criteria should be used. Where there 
is a choice or where there is an advantage to the person concerned, it is less li- 
kely that an infringement of privacy will be considered as unacceptable. In 
order to respect one’s private life it would seem more important to formulate 
these criteria rather than paying attention to actual forms of behaviour, as this 
does not sufficiently take into account the personal character of privacy. 

However, the choice for applying surveillance technology, or being pla- 
ced under such surveillance, is often not one made at an individual level. This 
runs counter to the present day tendency whereby the individual plays a cen- 
tral role. That is because the protection of privacy is not just an issue for indi- 
viduals; it must also take collective needs into account. Paradoxically, it would 
seem that the ‘protection’ of constitutional rights justifies a certain selective in- 
fringement of those rights. This can be explained in terms of the relative uti- 
lity of the application. To the extent that it affects individuals, legislators must 
be careful not to make unwarranted generalizations, as this could result in the 
public rejecting the use of technology. This would be a pity as research into 
such matters as the registration of DNA and the use of extensive databanks 
holding sensitive information, has shown that many people attach more im- 
portance to safety than to privacy. 

The influence of technology on safety is twofold. On the one hand, so- 
cial safety is increasingly threatened by technology, in particular the use of we- 
apon technology (chemical, biological and nuclear), and the use of computers 
and communication systems [23] is often said to be dangerously monopolized 
by state authorities and large corporations. On the other hand, technology can 


343 





be deployed precisely to promote social safety. A whole range of technologi- 
cal applications to enhance safety is already available: security systems (such 
as camera supervision), the identification of both goods and persons (the tag- 
ging of products and people as well as tracking and tracing methods based on 
GMS or GPS or DNA), information processing (image processing, biometrics, 
sensor fusion and data mining), communication and process support (group 
decision systems, virtual reality, coordination systems) and, finally, in law en- 
forcement and criminal investigation (shared reporting systems, camera su- 
pervision systems and the ‘information pistol’). 


5.5 Information technology and social control 


The use of information technology does not always entail an extension of an 
existing competence. It is more often a means by which that existing compe- 
tence becomes more effective and efficient. The simple fact that something is 
useful, or more useful than it used to be, leads in itself to a certain shift in 
norms. It is, however, important that it is borne in mind that technology is it- 
self primarily a ‘means’; it is a means to make possible those things people 
find useful. Information technology is, in this sense, a tool to enforce norms, 
in the same way as the law itself is a tool to enforce norms. 

When people go on holiday, they may ask their neighbours to keep an 
eye on the house. If someone hangs around the deserted house, the neighbours 
might ask whether they can ‘be of help’. That a police car would drive past the 
house more often while they were gone would also be welcome. In former 
times, it was far more common for people to keep an eye on the behaviour of 
others. There are various reasons why that is less the case today. One reason is 
the tendency noted above for increased mobility and individualization. People 
are also aware that an intervention may not be without risk. 

The social control and cohesion typical of society several decades ago 
no longer exist, at least not in that form. It is generally recognized that social 
control and social cohesion have a useful function. The gap left by the lack of 
social control can be filled by the use of technology; it can give social control 
and social cohesion form once again. [24] In any evaluation of information 
technology, factors to be taken into account are not only the costs and disa- 
dvantages, but also what it contributes and its social advantages. 


5.6 Information technology and solidarity 


Whether a decision is made to use information technology seems to be largely 
a matter of efficiency. Efficiency is a norm more often associated with the pri- 
vate sector, yet this consideration is relevant with respect to the public sector 


344 








as well. Although it would seem that efficiency as a norm has achieved greater 
acceptance in the private sector than the public sector, it is not the case that the 
aim of efficiency is without criticism in the private sector, for example with re- 
spect to commercial profit at the cost of service. When this criticism is analy- 
sed, it would appear that the services sacrificed are those that were not 
sufficiently profitable or provided at a loss. What the private and public sec- 
tors share is that those individuals who are affected want a result that suits 
them, even if it is disadvantageous for others, although they are not personally 
willing to contribute more. This leads to a conservative approach. Efficiency 
as a criterion is nevertheless an important guarantee of solidarity. The use of 
technology can promote efficiency. l 

An important question is to what extent people will be prepared to con- 
tribute financially to an expensive system of means redistribution, in which 
not all those who are intended to benefit from the redistribution do so, and 
some of those who do benefit were not intended to do so. Many of the organi- 
zations charged with the task of redistribution are founded on the principle of 
solidarity. This solidarity could be in the form of unemployment benefits, in- 
surance, housing or social security benefits, contribution to church funds, or 
charitable organizations. An important factor here is the tendency pointed out 
above; the increasing complexity of society, increased mobility and individu- 
alization. As a consequence, it has become more difficult to reach those who 
have the right to such assistance, and more difficult to prevent fraud by those 
who do not have the right to this assistance. This puts solidarity under pressure 
and makes it crumble away. Information technology contributes to efficiency, 
for example to prevent the fraudulent use of social security systems, and indeed 
its use could be demanded. 

In practice, it is no longer possible to implement complex legal projects 
without the use of technology. Technology has, in turn, influenced the content 
of these legal rules, as the automation process itself may impose certain requ- 
irements and restrictions. Creating and keeping consensus depends on correct 
implementation, certainly in the long term. Using technology as a means of 
control or as a means to support the enforcement of control, could give those 
involved a greater feeling of certainty. It is because we have computers that 
we can refine general rules, so that relevant individual circumstances can be 
taken into account. It is this very ability to distinguish between cases that makes 
it possible to uphold the principle of equality. In this way, technology could 
contribute to a feeling of solidarity. 


5.7 Subsidiarity and proportionality 


The use of information technology cannot, in general, be seen as irreconcila- 


345 


ble with the right to the protection of personal privacy. Safety is not in oppo- 
sition to privacy, but an aspect of it. Furthermore, it could be argued that the 
right to personal privacy is not an absolute right; other factors can, and some- 
timés must, be taken into account. Thirdly, it has already been pointed out that 
the scope of the concept of privacy, and its interpretation, must be seen against 
a background of technical and social developments. There are positive effects, 
such as the use of technology to increase the usefulness of services to the pu- 
blic and to respect the enforcement of basic rights. 

It is often not necessary to change the law in order to implement infor- 
mation technology. Technology can already be implemented within the exi- 
sting legal context. However, the use of technology can lead to shifts in norms. 
With respect to information technology, just as with other means, attention sho- 
uld be paid to the legal issues that may arise from one situation to another. The 
boundaries for legal application are usually determined by the principles of 
subsidiarity and proportionality. In setting down legal conditions for use, it 
should be realized that a too conservative approach could unfairly favour the 
abusers. Information technology should not only be seen as a means of re- 
pression: it is also a means of providing protection. It gives a high quality se- 
rvice and is cost effective (for consumer and tax payer). It is possible to 
organise surveillance in such a way that not all the information need be made 
known. It is sometimes sufficient that it can be made known. Much work is ta- 
king place in the field of so-called privacy enhancing technology (PET) and 
techniques to ensure anonymity. It is, of course, necessary to consider safety 
precautions, any loss of data and possible claims by those affected by a loss of 
data, misuse of data or use that causes damage. In general, it would seem wise 
to make the legal framework known on the introduction of the technology. 


5.8 Transparency 


In part, the objections to information technology arise when people become 
the objects of surveillance. Nonetheless, the public appears to benefit from su- 
rveillance by the authorities, as well as by private companies. Most of the cri- 
ticism emanates from lawyers and institutions, such as the national Data 
Protection Authorities. Given the rational model of man, it is quite easy to 
explain why the objections come from this direction: it is in the self-interest of 
these groups to protest (which is not the same as saying that their interest is a 
selfish one). 

Furthermore, it would seem that resistance is a characteristic of the as- 
similation process of new technology. It is resistance to technology and resi- 
stance to change. Not knowing whether there is surveillance, what the scope 
of that surveillance is, who is carrying out the surveillance and what will be 


346 








done with the data can make people feel uncomfortable. It is rather like the si- 
tuation of ‘I can’t see you, but you can see me’. Without transparency with re- 
spect to these issues, it is quite possible that people feel more vulnerable rather 
than less. That would inhibit the assimilation process, which would be a pity 
given how important it is that the usefulness of information technology is ack- 
nowledged; one conclusion that is rarely seen in legal literature is that techno- 
logy, also surveillance technology, actually makes it easier to respect and 
protect basic rights. 


6. Conclusion. A new balance is needed. 


It would seem that the advent of the information society has had an effect on 
traditional priorities. More information is available than ever before and the 
easy access to information has transformed the way in which people deal with 
and value information. The dichotomy between personal privacy and free ac- 
cess to information, which has come increasingly to the fore with the advance 
of information technology, justifies a reconsideration of these traditional values 
and interests. 

In the information society the right to privacy is not the predominant 
value before which all other values have to give way. The right to privacy is no 
longer unconditional. Attitudes to privacy have been transformed by the ad- 
vance of technology and the access to information that it offers. Warren and 
Brandeis’ remark that “what is whispered in the closet shall be proclaimed from 
the house-tops” now appears to have been a correct prediction, indeed a pro- 
per description of modern times. It is not that gossip is anything new: what has 
changed is its scale. The gossip that took place in the village square has now 
moved to national television. What was once only known by the few is now out 
in the public domain. And knowledge gives power. It has, for example, made 
consumers a force to be reckoned with, and voters have never known as much 
about the actions of their governments as now. The right to privacy is not only 
a ‘barometer’ for the advance of technology, but also appears to be subject to 
the law of communicating vessels, for example with safety and security but 
also with ‘wanting to participate’. In the more complex information society, an 
increasing number of alternatives compete with the right to privacy, which 
makes it more likely that the interests of privacy will be weighed against other 
interests. 

The right to privacy is not only increasingly in conflict with the desire 
to use information technology, but also with some of the basic rights of others. 
In the first place, it seems that many people these days prefer the right to be free 
in public than the right to privacy. Furthermore, the right to privacy of one per- 
son may conflict with the ‘right to know’ of others. In our changing world, 


347 


with increasing threats to safety and security, it is in the interest of most people 
to make informed decisions. Modern information technology has made it re- 
latively easy and inexpensive to make that information available. 

In the information society the unconditional protection of privacy is be- 
coming less important, it is one interest to be weighed against other interests. 
Many individuals prefer to be able to maximize utility rather than to have their 
privacy rights protected. Nevertheless, even if privacy may no longer be con- 
sidered as the highest good, that does not mean it is irrelevant. A proper balance 
has to be found. Information technology can be abused: knowing facts about 
people does not mean that these facts may be used for all purposes. Knowing 
that a person is suffering from a serious illness, for example, gives insurance 
companies the opportunity to determine risks and costs accurately. This should 
not necessarily mean that people with such an illness will not have the same ri- 
ghts as other people to enter into an insurance contract. On the other hand, it 
does not seem rational to abandon the gathering and processing of personal 
data altogether because of the fear of its abuse. Ignorance of the facts is seldom 
preferable to decision-making based on knowledge. 

A pre-requisite to prevent the abuse of information technology is that 
its use has to be transparent. Those involved then have the opportunity to know 
how the information about them is used, and may take appropriate action. As 
information technology is used by government agencies as well as by private 
parties, it is increasingly important that the monitoring of this use is organized 
in an independent way. Openness and transparency — as well as proper moni- 
toring - are more important to the protection of the private life of citizens than 
secrecy and the hiding of information. 

With the advent of the information society, the rules governing privacy 
have been affected by those regulating the protection of personal data. Given 
the perspective outlined above, it can only be concluded that these rules re- 
flect the old way of thinking, rather than give form to new relationships. Wi- 
thin the European Union, there were legislative developments before the 
adoption of the privacy directive, [25] usually arising from the Convention of 
Strasbourg [26] v and after the EU directive. What can be seen is that neither 
of these developments has been successful as a way of connecting to the new 
paradigm. 

In the Netherlands, the Data Registrations Act came into force in 1987. 
This law is the result of the discussions which took place at the end of the 
1960s and reflects the thinking at that time. [27] The 1960s and 70s were cha- 
racterised by the use of the sociological model and a belief in a society which 
could be moulded. The law is based on control, licences, permits and regula- 
tions. The subject matter of the law is static personal registration, with the Re- 


348 








gistration Authority acting as the supervisor charged with the granting of li- 
cences and approving regulations. At the time the law was introduced, it was 
already out of date because it had in the meantime become possible to couple 
registrations and have automatic exchange of data. 

After the implementation of the privacy direction on 6 July 2000, it was 
announced that the Data Protection Act would replace the Data Registrations 
Act. This new act was necessary to implement the privacy directive, but also 
to accommodate the coupling of registrations and computer networks. The 
1980s and 90s were characterised by the increasing prominence of the rational 
model of man and the embracing of the market economy. The law is based on 
open norms and transparency, making private enforcement possible. The sub- 
ject matter of the law is the processing of personal data, the supervisor is the 
‘Authority for the protection of personal data’. The Internet meant that the law 
was already out of date at the time it was introduced. 

The Internet has made a third transformation of the legislation on per- 
sonal data necessary, although that transformation resembles more the phoenix 
arising from the ashes than the snake shedding its skin. To avoid the potential 
dangers and disadvantages of an ‘Authority for the protection of personal data’, 
it would be necessary to make sure that one function of such an Authority 
would be to weigh the interests of privacy against other interests of impor- 
tance. The information society requires a more sophisticated system of moni- 
toring. [28] However, attempts to control the stream of information on the 
Internet are generally ineffective and, furthermore, undesirable in most cases, 
and particularly when personal data is concerned. On the one hand, individu- 
als want to prevent the misuse of personal information by third parties. On the 
other hand, third parties wish to prevent possible abuse by individuals. Moni- 
toring would ensure that individuals are not excluded, that personal data is fre- 
ely available and that action is taken against irrational barriers to the free flow 
of information. In conclusion, privacy is no longer the predominant value, and 
that necessitates the establishment of a new balance between the protection of 
privacy and the freedom of access to information. This, in turn, necessitates a 
new approach to the monitoring function. 


Notes 


[1] Francis Fukuyama, 1993. 

[2] T.S. Kuhn, 1970. 

[3] M.C. Jensen & W. H. Meckling, 1994, p. 4-19. 
[4] See note 2. 


[5] J. Verhoeff, 1980, p. 247; Also: R.V. De Mulder , 1984, p. 95; P. Kleve, 2004, p. 55 and 
361. 


349 


[6 P. Kleve, R.V. De Mulder & C. van Noortwijk, 2006. 

[7] P. Kleve & F. Kol ff, 1999. 

[8] It would seem that the principle of white listing is better known by law makers (for 
example in the European Union) than the technique, given the law has chosen for a so-cal- 
led ‘opt in’ regime (rather than an ‘opt out’ regime) for sending unsolicited commercial 
communication. 

[9] S.D. Warren & L.D. Brandeis, 1890. 

[10] J. Thomson, 1975, p. 295-314. 

[11] Fe. T. Scanlon, 1975, p. 315-322. 

[12] D. Solove, 2006, p 477-564. 

[13] See for the cultural, economic and technological relativity of privacy e.g. A. Allen, 
1988; A. Moore, 2003, p. 215-227; F. Schoeman, 1984. 

[14] B.J. Koops & A. Vedder, 2001. 

[15] A.F. Westin, 1967. 

[16] F.e. the Directive 95/46/EC of the European Parliament and of the Council of 24 Octo- 


ber 1995 on the protection of individuals with regard to the processing of personal data 
and on the free movement of such data. 

[17] European Court, 6 November 2003, case C-101/01. 

[18] See note 15. 

[19] In addition to processing, the functions of computers include input and output, storage 
and telecommunication. 

[20] This term is used to indicate a cooperation between independent legal entities that 
work together as if they form one organisation, as well as the cooperation between depart- 
ments, branch offices and sub-offices as if these offices were located in one physical buil- 
ding. 

[21] See the quote by Warren and Brandeis cited above. 

[22] Fe. A. Moore, 2000, p. 697-709 argues that trading privacy for security strikes the 
wrong balance and in many cases undermine both. See also the quote attributed to Benja- 
min Franklin,1759, http://en.wikipedia.org/wiki/Those_who_would_give_up_Essen- 
tial_Liberty): “Those who would give up Essential Liberty to purchase a little Temporary 
Safety deserve neither Liberty nor Safety”. 

[23] E.R. Muller, R.F. Spaaij and A.G.W. Ruitenberg, 2003, p. 87 af. 

[24]A contrary concept is that, for example voiced by Schoeman, that privacy actually pro- 
vides protection from a too extensive social control. (F. Schoeman, 1992). 

[25] Directive 95/46/EC of the European Parliament and of the Council of 24 October 
1995 on the protection of individuals with regard to the processing of personal data and on 
the free movement of such data, OJEC L281, 31. 

[26] Convention for the Protection of Individuals with regard to Automatic Processing of 
Personal Data, Council of Europe 1981. 

[27] See, inter alia, the definition of privacy by Westin above. 

[28] R.V. De Mulder, 1998, p 47-56. 


350 








References 


13. 
14. 


15. 


16. 


17. 
18. 
19. 


20. 


Allen, Uneasy Access: Privacy for Women in a Free Society, Totowa, N.J.Rowman and 
Littlefield 1988. 


Francis Fukuyama, The end of history and the last man, New York, 1993. 

M.C. Jensen & W. H. Meckling, ‘The Nature of Man’, Journal of Applied Corporate Fi- 
nance 1994-2, 

P. Kleve, Juridische iconen in het informatietijdperk (Legal Icons in the Information 
Age, with summary in English) (diss.) Rotterdam/Deventer: Sanders/Kluwer 2004. 


. P. Kleve & F. Kolff, ‘MP3: The End Of Copyright As We Know It?’, Proceedings of the 


IASTED International Conference Law and Technology (LawTech'99), IASTED: Ho- 
nolulu, Hawaii. 

P. Kleve, R.V. De Mulder & C. van Noortwijk, ‘The Amazing Diversity Framework of 
the Intellectual Property Rights Harmonisation’, Globalisation and Harmonisation in 
Technology Law, proceedings 21th Bileta conference 06-04-2006, Brockdorff et al., 
(Eds.), Bileta: Malta, ISBN: 90-5677-286-4. 

B.J. Koops & A. Vedder, Opsporing versus privacy: de beleving van burgers, Den Haag: 
Sdu Uitgevers 2001. 


T.S. Kuhn, The structure of scientific revolutions, Chicago, 1970 (1962). 


Moore, ‘Employee Monitoring & Computer Technology: Evaluative Surveillance v. 
Privacy’, Business Ethics Quarterly 2000-10. Moore, ‘Privacy: Its Meaning and Value’, 
American Philosophical Quarterly 2003-40. 


. R.V. De Mulder , Een model voor juridische informatica (A Model for Legal Compu- 


ter Science, with summary in English) (diss.), Lelystad: Vermande 1984. 


. R.V. De Mulder, ‘The Digital Revolution: From Trias to Tetras Politica’, in: 1.Th.M. 


Snellen and W.B.H.J. van de Donk, (Eds.), Public Administration in an Information 
Age. A Handbook, Amsterdam: IOS Press 1998, ISBN: 90 5199 395 1. 


. E.R. Muller, R.F. Spaaij and A.G.W. Ruitenberg, Trends in terrorisme, Alphen aan den 


Rijn: Kluwer 2003. 
T. Scanlon, ‘Thomson on Privacy’, Philosophy and Public Affairs 1975-4.J. 


F. Schoeman, (ed.), Philosophical Dimensions of Privacy: An Anthology, Cambridge: 
Cambridge University Press 1984. 


F. Schoeman, Privacy and Social Freedom, Cambridge: Cambridge University Press 
1992. 


D. Solove, ‘A Taxonomy of Privacy’, University of Pennsylvania Law Review 2006- 
154. 


Thomson, ‘The Right to Privacy’, Philosophy and Public Affairs 1975-4. 
J. Verhoeff, ‘Is de chip in de hand te houden?’, in: Spectrum Jaarboek 1980. 


S.D. Warren & L.D. Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol. IV 
December 15, 1890 No. 5. 


AF. Westin, Privacy and Freedom, New York: Atheneum 1967 


351 














Towards Bridging the Knowledge Gap between Lawyers 
and Technologist 


Rasika Dayarathna 


Department of Computer and Systems Sciences, 
Stockholm University/ Royal Institute of Technology. 
si-ika@dsv.su.se 


Abstract. Although information and communication technology 
(ICT) has made our lives more comfortable, it has widened threats to 
our privacy by making the processing and storing of personal informa- 
tion more convenient and economical; consequently, a huge demand has 
been created for the proper handling of personal information. Some 
countries have introduced data protection and privacy legislation meas- 
ures to ensure the proper handling of personal information. Data con- 
trollers deploy organizational and technological measures to protect 
personal information. Technologists are then involved in designing, im- 
plementing, and operating these measures to a great extent. It has been 
shown, however, that a knowledge gap exists between legal privacy ad- 
vocates and technologists who protect personal information. In order to 
hold a healthy dialog, a common platform must be created for technol- 
ogists and legal privacy advocates. This paper proposes a methodology 
for bridging the knowledge gap between technologists and legal privacy 
advocates. This platform facilitates a way for both parties to have a fruit- 
ful dialog. 


Introduction 


Every development threatens the stability of society. In reaction, society at- 
tempts to re-stabilize itself by making changes. This can be evidenced by the 
modifications that took place in the nineteenth century. One example of this 
evolvement came about through a large number of widespread fires. Fire 
brigades worked on developing an efficient means of reaching fire-strewn 
places within a short period of time. This was the main reason for the stan- 
dardization of street names and addresses (Ackerman, 2000). 

The advancement and widespread application of ICT has changed our 
society. In this new society we have a massive amount of information; however, 
the amount of information we gather is never enough. For example, monitor- 
ing and searching capabilities introduced by ICT have created serious threat to 
our privacy. On the other hand, we do not have enough information about how 
data controllers handle our personal information. Therefore, new rules, norms, 
and codes are needed to combat the threats that have been posed by ICT. 
(Lessig, 1999) 


353 


The battle for the right to privacy has a very long history. It has been 
recognized as a fundamental human right and is documented as such in Arti- 
cle 12 of the Universal Declaration of Human Rights, Article 17 of the Inter- 
national Covenant on Civil and Political Rights, and in many other international 
and regional human rights treaties. One aspect of privacy is information pri- 
vacy, which deals with the proper handling of personal information. This has 
become a hot issue with the advent and widespread use of ICT. Because of 
this, many countries started introducing personal data protection legislation in 
the early 1970’s. 

The first national data protection legislation was introduced by Sweden 
in 1973. Two additional milestones are EU Directive 95/46/EC and EU Di- 
rective 2002/58/EC. The first is a general data protection directive that covers 
almost every sector. The second covers only the telecommunications sector. 
Member countries of the European Union have drafted national législation 
based on these directives. In the United States, privacy legislation is much dif- 
ferent because it is sector specific and self-regulatory. Without introducing any 
general data protection legislations, the United States government has enacted 
data protection legislation for specific sectors such as the financial and health- 
care divisions. Other sectors like e-commerce are required to be self govern- 
ing. Three basic motives have inspired the introduction of these laws: 
remedying past injustices, promoting electronic commerce, and keeping up 
with EU data protection practices (EPIC, 2003). 

In addition to the above stated legislative measures, a number of non- 
legislative measures have taken hold. The International Security, Trust, and 
Privacy Alliance (ISTPA) privacy framework, the American Institute of Certi- 
fied Public Accountants, Inc., the Canadian Institute of Chartered Accountants 
(AICPA/CICA) privacy framework, and the Asia-Pacific Economic Council 
(APEC) privacy framework fall into this category. 

In privacy directives, legislation measures, guidelines, framework, and 
industry-best practices, the basic building blocks are information privacy prin- 
ciples. According to the ISTPA (2003), privacy principles describe how per- 
sonal information should be handled in a more abstract manner. 

The ISTPA privacy framework has listed eight generally accepted pri- 
vacy principles including accountability, collection limitation, disclosure, par- 
ticipation, relevance, security, use limitation, and verification. The 
AICPA/CICA (2004) privacy framework defines ten privacy components. 
These are management, notice, choice and consent, collection, use and reten- 
tion, access, disclosure, security, monitoring and enforcement, and quality. The 
office of privacy commissioner of Australia (1988) has listed eleven informa- 
tion privacy principles based on the Privacy Act of 1988. These principles are 


354 








made up of the manner and purpose of the collection of personal information, 
solicitation of personal information from individuals concerned, general so- 
licitation of personal information, storage and security of personal informa- 
tion, information relating to records kept by record keepers, access to records 
containing personal information, alteration of records containing personal in- 
formation, checking the accuracy of personal information before use, personal 
information to be used only for relevant purposes, limits on use of personal in- 
formation, and limits on the disclosure of personal information. The PISA proj- 
ect has derived nine privacy principles from EU Directive 95/46/EC. They are 
reporting the processing, transparent processing, as required processing, law- 
ful basis for data processing, data quality, rights of the parties involved, pro- 
cessing personal data by a processor, protection against loss, unlawful 
processing of personal data, and data traffic with countries outside the EU 
(Blarkom et al., 2003). 

One of the key information privacy principles is safeguarding security. 
The Organization for Economic Cooperation and Development (OECD) 
(1980) has said, “Personal data should be protected by reasonable security safe- 
guards against such risks as loss or unauthorized access, destruction, use, mod- 
ification, or disclosure of data”. The EU Directive 95/46/EC concerns the 
processing of personal information and the transfer of personal information to 
other countries. Article 17 of the directive prohibits the processing of personal 
information without providing an adequate level of protection for the infor- 
mation being processed. According to Article 25 of EU Directive 95/46/EC, the 
transferring of personal information to another country is granted on the ade- 
quacy of security protection given in that country. The Canadian Data Protec- 
tion Act also insists on an appropriate level of personal data protection (Senate 
and House of Commons of Canada, 2000). A substantial number of complaints 
received by data protection or privacy commissioners concern a breach of this 
principle. During the period of 2004-05, the office of the Hong Kong privacy 
commissioner (2006) received 131 cases regarding this principle. This 
amounts to fourteen percent of the total cases received during that time. In 
essence, this principle insists on an adequate or reasonable level of protection 
for personal information. 

The challenging question lies in how to determine an appropriate/rea- 
sonable protection level. By looking into this matter, several sub matters are 
raised such as how to achieve the desired level of protection. Although some 
enactments have given a few factors to be taken into account when deciding the 
appropriate level of protection, they are silent on how to achieve the desired 
level. This causes a number of problems for data controllers and technologists 
since they do not have a sufficient understanding about when, where, and how 


355 


to protect personal information. For example, the privacy commissioner of 
Canada prohibited using an access control system that authenticates users based 
on the year of birth because it did not provide adequate protection for personal 
information (Birth Date, 2001). 

Information security, which focuses on providing an optimal level of 
confidentiality, integrity, and availability, demands that more personal infor- 
mation be provided to security. However, from an information privacy per- 
spective, the excessive collection and use of personal information is not 
allowed. Therefore, technologists face two problems: how to achieve an ade- 
quate level of protection for personal information and to what extent personal 
information can be used for providing security. 

The preceding discussion shows the conflicting battle between security 
and information privacy regimes. Legal privacy advocates are responsible for 
judging the adequacy of measures used to both collect and protect personal in- 
formation. Therefore, they need thorough knowledge on technological meas- 
ures used to protect personal information. On the other hand, technologists 
need to know their legal privacy obligations. 

It is often the case that technologists and lawyers do not know each 
other’s language; they do not work with the same verbiage, knowledge, or com- 
munication. This has created a large knowledge gap between lawyers and tech- 
nologists. For example, in an Internet terror trail case, Judge Peter Openshow 
said, “The trouble is I don’t understand the language. I don’t really understand 
what a website is” (Wells, 2007). 

Dealing with the same issue, technologists have been known to misin- 
terpret legal requirements. According to Dempsey and Rubinstein (2006), sys- 
tems administrators and engineers have been heard saying that the 
Communications Assistance for Law Enforcement Act (CALEA) requires X or 
that the Patriot Act requires Y when no such mandate actually exists. These 
kinds of misunderstandings and excessive lawsuits make barriers for the 
progress of technology (Egan & Jucovy, 2006). 

Various means have been proposed for bridging this knowledge gap. 
Stephen Breyer (2005), a Supreme Court Justice in the USA, has suggested 
using publications, meetings, legislative hearings, and court cases. Gidari & 
Coie (2006) believe that knowing each other’s languages would help form a 
mutual dialog between lawyers and technologists. Dempsey & Rubinstein 
(2006) state, “As lawyers, we owe it to the tech community to explain the legal 
framework that in turn shapes technology”. 

This study investigates how to build a common platform that bridges 
the knowledge gap between legal privacy advocates and technologists. It par- 
ticularly focuses on the principle of security safeguards. This common plat- 


356 








form would help these two factions have a healthy dialog focusing on legal 
privacy issues and protective measures. The proposed methodology presents 
how to map legal privacy requirements, stated in data protection legislation 
measures, into technical and organizational functionalities. Once the mapping 
is complete, these measures can be used to fulfil legal privacy obligations. The 
motivation for this study is to make it more convenient for technologists to 
identify the most appropriate and feasible technical and organizational meas- 
ures for providing security and protecting personal information. 


2. The proposed methodology 


The following sections explain the proposed methodology alone with the in- 
termediary stages that handle the complexity of the issue. The process starts 
with legal privacy requirements. Then, the focus gradually goes onto techno- 
logical and organizational measures. 


Privacy principles 

First, bridging the knowledge gap requires a precise understanding of the re- 
quirements imposed by data protection principles. These principles, which are 
the basic building blocks of data protection laws and their framework, are made 
from different dimensions. The need for a common set of privacy principles is 
evident in studying case laws and commissioners’ decisions since data protec- 
tion and privacy commissioners categorize cases according to their own 
schemes. This practice makes it difficult to compare case studies across juris- 
dictions. 

A good starting point is scrutinizing data protection legislations and 
other standards. Some commissioners have already specified underlying pri- 
vacy principles in their data protection legislation. For example, the Australian 
privacy commissioner has published the principles in the Australian Privacy 
Act. Sector specific laws, specifically the threats mentioned in them, help peo- 
ple to understand the scope of data protection principles. In addition to legis- 
lation measures, there are many regulations, best practices, and standards used 
for privacy protection that can be seen in various documents and articles. In ad- 
dition to this, it is necessary to study how market forces demand privacy in- 
formation protection. Decisions given by data protection advocates, privacy 
commissioners, and other competent tribunals help with understanding bound- 
aries, scopes, and different dimensions of the principles. For instance, case 
laws shade light on reasonableness. 

At the end of this phase, a rich set of privacy principles and different 
aspects of them are expected to be drawn out. Having a rich set of privacy prin- 
ciples lays the foundation for comparative case studies. 


357 


High-level privacy requirements 


The next step is identifying high-level requirements imposed by privacy prin- 
ciples. According to the introduction to the ISTPA privacy framework, fair in- 
formation practices (FIPs), which are meant to provide functional-level 
requirements, have failed to provide desired functional-level requirements. In 
this stage, instead of directly going to the functional-level requirement, an ab- 
stract level known as high-level requirement is introduced. For example, the 
principle of security safeguards requires protection from loss, unauthorized ac- 
cess, disclosure, alteration, and destruction. 

The first layer of Figure 1 represents privacy principles and the second 
layer represents high-level requirements. Since this figure was presented to 
show the relationship between various stages, it should not be considered as a 
complete picture. The reason for having this layer is it shows similar require- 
ments being put into a single component. This categorizing makes it more con- 
venient to identify a particular component and the functionalities contained 
therein. 

This is one stage where the focus can be restricted. Focusing on a par- 
ticular domain in early stages would save cost and time. However, there is a 
chance of missing key items. Focusing on this at later stages would give a 
richer picture, but it is more costly. 


Functional-level Requirements 


The third step is identifying the appropriate functional-level requirements. This 
layer analogues the waterfall method in software engineering. It represents an 
intermediary stage between high-level requirements and technical-level re- 
quirements. It shows the means, stages and places for fulfilling the identified 
high-level requirements. For example, unauthorized access can take place at 
various places including a user to computer interface, between the interface 
and the data link layer, during the end to end transmission over the network, 
from the data link layer to the computer interface at the destination, or between 
the computer interface and the recipient. There are possibilities of further gran- 
ulizing the above stages. 

A high-level requirement can be met through a number of functional- 
level requirements. Article 5.1 of the EU Directive 2002/55/EC provides a set 
of functional-level requirements against unauthorized access including the pro- 
hibition of trapping, listening, storage, or any other form of surveillance (the 
first four items appear in the third layer in Figure 1). The requirements im- 
posed by the CALEA provide another example. It requires the telecommuni- 
cations industry to implement a certain level of functional-level requirements 


358 








such as isolating the content of a targeted communication, identifying the orig- 
inating and destination number of a targeted communication, and transmitting 
the targeted communication and the numbers to a given law enforcement au- 
thority (Gidari & Coie, 2006). However, the act does not specify how to im- 
plement these measures. The examples illustrated above show what 
functional-level requirements are from two different angles. 

In most cases, identifying these functional-level requirements is not 
straightforward. In addition to legislation measures, other sources for identi- 
fying functional-level requirements are privacy frameworks such as the ISTPA, 
the APEC, and the AICPA/CICA. Security frameworks, industry standards and 
best practices, court decisions, and directions and decisions given by data pro- 
tection and privacy commissioners can also be looked to for guidance. In ad- 
dition to this, decisions and directions may help identify some requirements 
that are not explicitly mentioned in legislative measures. For example, the 
Dutch data protection commissioner advised librarians to communicate with 
their members through an encrypted channel over the Internet (European Com- 
mission, 2006). 

At this stage, it is also possible to focus on a particular environment. 
For example, the discussed scenario can be used for mobile communication 
environments or web-based communications. Focusing on a particular envi- 
ronment is very essential due to environment-specific threats, capabilities, in- 
herit strengths, and weaknesses. For example, mobile phones are not capable 
of carrying out strong cryptographic-based computations. 

Another important factor is the exceptional circumstances mentioned 
in legislation. Some legislative measures prohibit the securing of information 
systems beyond a certain limit. For example, securing communication channels 
without leaving access to law enforcement authorities is prohibited. In addition 
to this, there are cases where data subjects have options to go for less protec- 
tive regimes. For example, the interception of a communication channel with 
the consent of a user is permitted. The two cases illustrated above are given in 
Article 5.1 of EU Directive 2002/58/EC. Two boxes inherited from prohibited 
listening represent these two exceptional situations (Figure 1). However, it 
should be noted that there are cases where it is not possible to lessen the pro- 
tection, even with the consent of the data subject (Opinion 1/98, 1998). 


Technical and Organizational Measures 
The last stage in bridging the knowledge gap is identifying appropriate orga- 
nizational and technological measures that are capable of providing the desired 


level of functionality. Technological measures decide appropriate technical 
measures such as encryption algorithms, key sizes etc. Organizational measures 


359 


cover all non-technical measures such as control to access keys, the required 
level of logging details, the amount of training needed, etc. In some cases there 
is a range of technical and organizational measures needed to fulfil a single 
functional-level requirement. For example, there are various options for pro- 
tecting a financial website from unauthorized access including digital certifi- 
cates, hardware tokens, one time passwords, lists of one time passwords, 
challenge/response mechanisms, etc. 

Some functional measures need a number of supporting technological 
and organizational measures. For example, an efficient challenge/response 
mechanism to protect against unauthorized access needs certain additional 
measures. Another issue is new threats created by protection measures them- 
selves. The selection of appropriate organizational and technological measures 
depends on a number of factors. Some of them are ease of use, the availability 
of measures, the understanding and competency of users, and cost factors. Ar- 
ticle 17 of EU Directive 95/46/EC specifically mentions that cost factors are 
to be considered when determining the level of protection required. 

Another important aspect is exceptional situations specified. As dis- 
cussed above, in some cases the law prohibits using strong encryption algo- 
rithms. At the end of this stage, a summary of scrutinized legal doctrines and 
other standards are presented. This summary would show how a particular 
functional-level requirement is demanded by the studied legislation and stan- 
dards. Although this is an optional stage, this summary helps to compare rela- 
tive merits of legislation and standards. A good measure should clearly and 
precisely specify the desired requirements in a non-technical language. Other- 
wise, the language creates many hardships for technologists and data con- 
trollers. It was reported that there was confrontation between law enforcing 
agencies, the telecommunications industry, and standardization bodies because 
the CALEA had not clearly mentioned their desired requirements (Dempsey 
& Rubinstein, 2006). This cross comparison would help understand the exact 
requirements because, in most cases, the same requirement is expressed in dif- 
ferent terms. 

A blueprint of the proposed matrix is presented in Table 1. It gives ap- 
propriate organizational and technological measures to fulfil functional-level 
requirements. The vertical axis lists both organizational and technological 
measures and the horizontal axis presents functional-level requirements. If a 
given functional-level requirement is fulfilled by one or more measures, the 
corresponding boxes are marked with an X. In cases where a combination of 
measures is needed to fulfil a single requirement, all measures in this combi- 
nation are marked with an additional subscript. For example, there are several 
approaches to protect a financial website. If a digital certificate stored in a com- 


360 








puter is used as an access control mechanism to access the website, it also 
needs a strong access control mechanism for accessing the computer, specially 
the browser’s security manager. In the matrix, these measures are marked as 
(Xj). A blank box shows that there is no relationship between the functional 
level requirement shown in the vertical axis and the measures given in the hor- 
izontal axis. When using a particular measure is prohibited, the box is marked 
with “prohibited”. If a measure is not capable of fulfilling a given functional- 
level requirement, the intersecting box is marked “not sufficient.” 

Relevant organizational and technological measures are partly covered 
in privacy and security frameworks such as the ISTPA, the AICPA/CICA, and 
the APEC privacy framework, the BS 7799, the Common Criteria (CC) and 
other industry standards and best practices. The measures covered in the above 
standards have to be rearranged and other relevant measures have to be intro- 
duced in building the final platform. The key feature in the proposed platform 
is the emphasis on the adequacy of protection given to personal information 
and the use of personal information in providing security. 


3. Discussion and Future works 


Using existing security standards for providing information privacy controls 
has been suggested by Siougle & Zorkadis (2002). Even though adopting the 
existing security standards for information privacy controls is simple and 
straight forward, it would cause many conflicts of interest. According to the ex- 
planatory notes that accompany the OECD privacy guidelines (1980), privacy 
and security are two different things. Furthermore, it has been decided that the 
existing security controls breach the right to privacy. For example, in a num- 
ber of cases it was held that monitoring employees’ activities, which is a rec- 
ommended security control, violates employees’ rights to privacy (cited in 
Lawdit Solicitors, 2002). Therefore, desirable safeguards for personal infor- 
mation from the existing security standards can not be expected to work. An- 
other significant difference is that organizations have more dominant roles in 
security whereas data subjects have very limited roles. In contrast, data subjects 
have tremendous authority over their personal information when information 
privacy is concerned. 

Today, standardized best practices are used to fill appropriate measures 
for protecting information privacy. However, the adequacy and quality of these 
practices are heavily questioned (Iachello, 2003). For example, BS 7799 was 
criticized for its lack of scientific nature (Siponen, 2001). Another example is 
that web-based seal providers failed to get maximum ratings for their compre- 
hensive coverage on the principle of security safeguards (Centre for Democ- 
racy & Technology, 1999). The above studies also highlight the need for better 


361 


guidelines for the protection of personal information. Since the proposed plat- 
form is based on privacy legislation and decisions given by data protection and 
privacy commissioners, guidelines on how to balance security and privacy are 
provided. In addition to this, the finding would contribute to enhancing the ex- 
isting security and privacy frameworks and standards. 

The final platform could be used for legal privacy compliance audits by 
customizing it to a particular jurisdiction. Suggested future works would en- 
hance the platform to measure effectiveness of the controls deployed to protect 
personal information. In order to do that, a broader framework, which takes 
the cost factor into account, is needed. 

This exercise is expected to conclude with a focus on principle security 
safeguards in a selected domain. Once the proposed platform is built, the ef- 
fectiveness of the methodology and its platform could be verified. Possible 
verification methods are in-depth case studies and workshops. Conducting 
workshops facilitates a way to obtain contributions from domain experts, legal 
privacy advocates, and technologists. 


Reference 


1 


w 


[AICPA/CICA ] Assurance Services Executive Committee of the AICPA and the As- 
surance Services Development Board of the CICA. (2004). AICPA/CICA Privacy Fra- 
mework. New York: Author. 

[EPIC] Electronic Privacy Information Center and Privacy International. (2003). Pri- 

vacy and Human Rights. Washington, DC:Author. 

[ISTPA] International Security- Trust and Privacy Alliance. (2003, January 20). ISTPA 

Privacy Framework. Herndon, VA 20171:Author. 

4) Ackerman, M. (2000). Developing for Privacy: Civility Frameworks and Technical De- 
sign. Paper presented at the Proceedings of the tenth conference on Computers, fre- 
edom and privacy, Toronto, Ontario, Canada. 

Birth Date - Security of a bank's automated telephone service. (2001). Retrieved Sep- 
tember 04, 2007, from http://www.privcom.ge.ca 

6) Blarkom, G. W. V., Borking, J. J., & Verhaar, P. (Eds.). (2003). Handbook of Privacy 

and Privacy-Enhancing Technologies. Haag: College bescherming persoonsgegevens. 

Breyer, S. G. (2005). Active Liberty: Interpreting Our Democratic Constitution. New 

York: Knopf. 

Centre for Democracy & Technology. (1999). Behind the Numbers: Privacy Practices 

on the Web. Retrieved November 05, 2007, from http://www.cdt.org/privacy/ 

990727privacy.shtml 
9) Dempsey, J. X., & Rubinstein, I. (2006). Guest Editors' Introduction: Lawyers and Tech- 
nologists-Joined at the Hip? IEEE Security and Privacy, 4(3), 15-19. 

10) Egan, E., & Jucovy, T. (2006). Building a Better Filter: How To Create a Safer Internet 
and Avoid the Litigation Trap. IEEE Security and Privacy, 4(3), 37-44. 

11) European Commission. (2006). Ninth Annual Report of the Article 29 Working Party on 


2 


— 


3 


~ 


5 


wa 


7 


— 


8 


~ 


362 








Data Protection. Retrieved November 4, 2007, from http://ec.europa.eu/justice_home/ 
fsj/privacy/workinggroup/wpdocs/2007_en.-htm 

12) Gidari, A., & Coie, P. (2006). Designing the right wiretap solution: setting standards 
under CALEA. IEEE Security & Privacy Magazine, 4(3), 29-36. 

13) Iachello, G. (2003). Protecting Personal Data: Can IT Security Management Standards 
Help? In Proceedings of the 19th Annual Computer Security Applications Conference 
(Vol. 8, pp. 266 - 275). Washington, DC: IEEE Computer Society. 

14) Lawdit Solicitors. (2002, October 2002). Nikon France vs. Frederic Lawdit Solicitors, 
from http://www.lawdit.co.uk/reading_room/room/view_article.asp?name=_../arti- 
cles/Nikon%20France%20vs%20Frederic%200nos.htm 


15) Lessig, L. (1999). Code : and other laws of cyberspace. New York: Basic Books. 


16) Office of the Privacy Commissioner for Personal Data-Hong Kong. (2006). Personal 
DataAnnual Report 2004-05 Retrieved September 04, 2007. from 
http://www.pcpd.org.hk/english/publications/annualreport2005_4.html. 

17) Opinion 1/98: Platform for Privacy Preferences (P3P) and the Open Profiling Standard 
(OPS). (1998). Working Party on the Protection of Individuals with regard to the pro- 
cessing of Personal Data Retrieved September 04, 2007, from http://ec.europa.ew/jus- 
tice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm 

18) Organisation for Economic Co-operation and Development. (1980). OECD Guidlines 
on the protection of Privacy and Transborder Flows of Personal Data. Paris: Author. 


19) Senate and House of Commons of Canada. (2000). Personal Information Protection 
and Electronic Documents Act -Canada. Retrieved September 04, 2007. from 
http://laws.justice.gc.ca/en/ShowFullDoc/cs/P-8.6///en. 

20) Siougle, E. S., & Zorkadis, V. C. (2002). A Model Enabling Law Compliant Privacy 
Protection through the Selection and Evaluation of Appropriate Security Controls. 
Paper presented at the Proceedings of the International Conference on Infrastructure 
Security Bristol, UK. 

21) Siponen, M. T. (2001). On the scientific background of information security manage- 
ment standards: a critique and an agenda for further development., The Second Annual 
Systems Security Engineering Conference (SSE). Orlando, Florida, USA. 

22) The Office of Privacy Commissioner-Australia. (1988). Information Privacy Princi- 
ples under the Privacy Act 1988. Retrieved September 04, 2007. from http://www.pri- 
vacy.gov.au/publications/ipps.html. 

23) Wells, T. (2007). Judge: What is a website? [Electronic Version]. The Sun. Retrieved 
May 17,2007 from __ http://www.thesun.co.uk/article/0,,2-2007220614,00.html 


363 





Table 1: A blue print of the final platform 


Challenge/Response with xI xi 
minimal length of 10 chars 
Bio Metrics (Finger print) Prohibited Prohibited X4 


Hardware tokens x X3 


Challenge/ Response x Not sufficient 
mechanism 











Digital Certificate (TEC) X1 








Unauthorized ac- 
cess to web 
servers 


Access to securi : 
ty Unauthorized access 
manager of client 
to office space 


machines 

















Figure 1: The principle, high level requirements, functional level requirements 
and exceptions. 






Principle of Security 
Safeguard 


Unauthorized use and 
alteration 










Loss Unauthorized access 












Prohibit access- 
ing servers 


Prohibit Listening 


Prohibit Tapping 


User’s consent 


Prohibit Storage Other interceptions or 
surveillance 








Law enforcemmet 


364 











Wresting Informational Privacy from Free Speech 


Sabah S. Al-Fedaghi 
Computer Engineering Department 
Kuwait University 


P.O. Box 5969 Safat 13060 Kuwait 
sabah@eng.kuniv.edu.kw 


Abstract. This paper deals with the conflict between privacy 
rights and the freedom of speech. Courts have upheld the freedom of 
speech to the detriment of the privacy interest. Even when the informa- 
tion is false, courts have been reluctant to allow restrictions on the col- 
lection and dissemination of personal information. To establish a 
stronger case for privacy, we concentrate on a special type of privacy: 
privacy of personal identifiable information. Two aspects are crystal- 
lized in order to focus on this privacy/free speech confrontation. First, 
personal identifiable information is defined as processable information 
that refers to uniquely identifiable persons. This would exclude personal 
information embedded into raw data such as casual oral gossip. Second, 
acting on personal information is limited to the initial phase of the per- 
sonal information flow model. This model includes four phases: the cre- 
ation, gathering, processing, and disclosing of personal information. The 
foundation for our thesis is: restrictions on the creation of personal iden- 
tifiable information are necessary for free speech. 


1. Introduction 


It is widely acknowledged that privacy rights and the rights to freedom of 
speech conflict with each other to such an extent that reconciling the two is 
conceptually difficult. The situation is not promising for privacy as illustrated 
in the following quotes: “The rights-based, individual-centered analysis of pri- 
vacy has failed. The law has not been able to satisfactorily reconcile privacy 
and freedom of speech. Privacy is inevitably trumped by the overarching power 
of free speech, an almost indomitable democratic value” (Wacks, 1999). Also, 
“[P]rivacy protections against disclosure, when analyzed in light of our long- 
standing tradition of protecting free speech and a free press, seem quite prob- 
lematic” (Solove, 2004). 

In the United States, it is claimed that restrictions on the disclosure of 
true personal information interfere with the First Amendment right to free 
speech (Solove, 2004). According to Cate and Litan (2002), “Virtually without 
exception, the Court has upheld the right to speak or publish or protest under 
the First Amendment, to the detriment of the asserted privacy interest [...] Even 


365 


when the information is false, the Supreme Court has been loath to allow re- 
strictions on its collection and dissemination.” The Court even held that the 
broadcast of an illegally intercepted cellular telephone conversation was pro- 
tected by the First Amendment (Bartnicki v. Vopper). The Court based its hold- 
ing on the fact that the intercepted cellular telephone conversation involved a 
matter of public interest (Cate & Litan, 2002): “[E]ven expression not on a 
matter of public importance, if truthful, would be constitutionally difficult to 
restrain” (Cate et al., 2002). With regard to privacy agreements such as con- 
tracts or privacy policies, “the extent to which the First Amendment will im- 
pose any limit on the government’s ability to impose procedural requirements 
[e.g., in writing] for privacy contracts, or default rules that apply in the ab- 
sence of such contracts, is unsettled” (Cate & Litan, 2002). 

Our goal in this paper is to wrest back to privacy some ground based on 
a positive argument that privacy allows free speech to flourish. The strategy is 
as follows. 


(1) We limit the notion of privacy to a specific type: the privacy of personal 
identifiable information. Furthermore we concentrate on processable personal 
identifiable information. This would exclude information embedded into raw 
data such as casual oral gossip. 

(2) We divide the handling of personal identifiable information into four mod- 
ules: creating, gathering, processing, and disclosing personal information. We 
show that creating personal identifiable information is different from gather- 
ing or disclosing it. Consequently: 


(a) To counter the claim that restricting the collection, processing, and disclosing 
of personal information inhibits free speech, we introduce the extreme case of 
everyone creating processable personal identifiable information about others. Ac- 
cording to the typical free speech position, such a situation would make free 
speech flourish because it includes no restrictions, but, we argue, the extreme sur- 
veillance over persons leads to self-censorship that hinders free speech. So this the- 
oretical situation simultaneously encourages and inhibits free speech. 

(b) We conclude that free speech needs a balance between restricting and unre- 
stricting the creation of personal identifiable information. Thus, our main the 
proposition is: 


Some type of restriction in the creation of personal identifiable information actu- 
ally enhances free speech. 


In reaching this conclusion, we introduce several new analyses of the related 
notions. The privacy of personal identifiable information is defined in precise 
terms. Free “persona identifiable information” speech is separated from the 
general principle of free speech. 


366 








2. Personal Identifiable Information 


The central component of “nearly all definitions of information privacy is the 
term ‘personal information’” (Kang, 1998). Personal information is said to de- 
note information about identifiable individuals in accessible forms (Wacks, 
1997). Defining personal information as “information identifiable to the indi- 
vidual” does not mean that the information is “especially sensitive, private, or 
embarrassing. Rather, it describes a relationship between the information and 
a person, namely that the information— whether sensitive or trivial— is some- 
how identifiable to an individual” (Kang, 1998). Marx (2006) identified nine 
types of descriptive information on individuals such as locational, temporal, re- 
lationships, behavioral, beliefs, and characterizations. These types of “de- 
scriptive information” fall into the category of personal identifiable 
information. Analyzing these types may contribute to a refined definition of 
sensitive personal identifiable information. 

In the remainder of this paper we will use “personal identifiable infor- 
mation” instead of “personal information.” Typically, some data are said to be 
"private," other data are public. But there is a difference between "private" and 
“personal identifiable” data. “Private” data may include personal non-identi- 
fiable information that is exclusively controlled by its owner. We adopt the 
definition of personal identifiable information (PII) proposed in Al-Fedaghi 
(2005). Personal identifiable information pertains to a uniquely identifiable 
person. Personal identifiable information is any information that has referent(s) 
of type (natural) person. Accordingly, there are two types of PII: 


1. Atomic PII has a single human referent. 
2. Compound PII has more than one human referent. 


“Atomic” signifies the “subject” of information and not the composition of in- 
formation that expresses that fact. Thus, John is tall and handsome, John is 
tall, and John is handsome are all atomic pieces of information, even though 
the first contains the second and third statements. 

The relationship between individuals and their own atomic PII is called 
proprietorship [1]. A piece of atomic PII is proprietary PII of its proprietor 
(referent). Compound PII is proprietary information of its proprietors (refer- 
ents). Any compound PII is privacy-reducible to a set of atomic PII. For ex- 
ample, John and Mary are in love can be privacy-reducible to John and 
someone are in love, and Someone and Mary are in love. 

Defining informational privacy is described as “a dizzying endeavor” 
(Lin, 2002), and “extremely broad” (Cate, 1997). Obviously, informational pri- 


367 


vacy is a type of privacy related to information. In 1977, the U.S. Supreme 
Court recognized “the individual interest in avoiding disclosure of personal 
matters” (Whalen v. Roe). Volokh (2000) states that the right to privacy as in- 
terpreted by the Supreme Court “has little to do with any right to informational 
privacy.” He uses “right to information privacy” to refer to “my right to con- 
trol your communication of personal identifiable information about me.” Ac- 
cording to Volokh (2000), “barring any person from communicating personal 
identifiable information about me is ‘speech restriction’ that raises First 
Amendment problems.” He proposes utilizing the law of contract as legal pro- 
tection of information privacy. He observes that: “It's clear that information 
privacy speech restrictions cannot be justified on the grounds that “they don't 
restrict speech, they only restrict the sale of information.” Speech is often the 
sale of information. Consider the Wall Street Journal, the Encyclopedia Bri- 
tannica, and amazon.com, the contents of which are fully constitutionally pro- 
tected against government suppression even though they're sold for money.” 
To understand the nature of informational privacy, we conceptualize two 
types of privacy: informational and non-informational. Furthermore, infor- 
mational privacy itself is classified into two kinds: personal identifiable in- 
formation privacy and personal non-identifiable information privacy. Personal 
non-identifiable information privacy includes acts on personal non-identifi- 
able information. An example of this type of privacy is looking, without per- 
mission, at a diary that happens to not include personal identifiable 
information. The act is privacy-related; however, it does not involve personal 
identifiable information as defined previously. Personal identifiable informa- 
tion privacy is our conceptualization of “informational privacy.” In order not 
to confuse the terminology we use “information privacy” to mean the com- 
mon use of such a name and use the name “personal identifiable information 
privacy (PII privacy)” to refer to our conceptualization of such a notion. 
According to our definition of personal identifiable information, every 
information about an identified individual is personal identifiable information. 
Clearly, much of this personal identifiable information is insignificant in terms 
of privacy. We further categorize personal identifiable information into two 


types: 


1. Significant PII such as John is caught urinating on tape. This infor- 
mation is clearly of privacy significance from John’s point of view. 

2. Insignificant PIT such as Madonna won her right to use the domain 
name madonna.com. It is newsworthy information, and Madonna 
would not consider release of (e.g., publishing) such information an in- 
trusion on her claim for informational privacy. 


368 








Even though there is no criterion that precisely divides these types of 
personal identifiable information, it seems that in most cases, the difference 
between them is apparent. No one claims information such as John hit a per- 
son with a brick or John murdered a person to have privacy-related signifi- 
cance. Many works in the area of privacy have no difficulty in identifying 
(significant) privacy in domains such as health information or financial infor- 
mation. Consequently, we will assume that it is possible to decide the category 
of significant personal identifiable information. 

Privacy of personal identifiable information is an attribute of PII that 
makes it significant. The “significance” here means that the privacy trait of in- 
formation has an intrinsic value that makes it an object of respect. This is the 
claim of personal information ethics (PIE) introduced in (Al-Fedaghi, 2006a). 
PIE recognizes personal identifiable information itself has an intrinsic moral 
value. Recognition of the intrinsic ethical value of personal identifiable in- 
formation does not imply prohibiting acting upon the information. Rather, it 
means that while others may have a right to utilize personal identifiable infor- 
mation for legitimate needs and purposes, it should not be done in such a way 
that devalues personal identifiable information as an object of respect. The 
human-centered significance aspect of personal identifiable information de- 
rives from its value to a human being as something that hides his/her secrets, 
feelings, embarrassing facts, etc., and something that gives him/her a sense of 
identity, security and, of course, privacy. 

Our basic proposition is to defend privacy of personal identifiable in- 
formation (not the privacy of general information) in its confrontation with the 
right to free speech. Furthermore, to strengthen the PII privacy position, we 
concentrate on specific acts: the creation of personal identifiable information. 
Acts of personal identifiable information are analyzed next. 


3. Acts on Personal Identifiable Information 


Al-Fedaghi (2006c) proposed a model of the flow of personal identifiable in- 
formation that provides a systematic method of understanding related notions 
and explains a broad variety of cases by illustrating the relationships among dif- 
ferent actors on personal identifiable information. According to Kang (1998), 
“privacy involves the control of the flow of personal identifiable information 
in all stages of processing— acquisition, disclosure, and use.” In general, per- 
sonal identifiable information has “a tendency to propagate far from the initial 
context of its disclosure and to persist for long periods of time” (Strandburg, 
2005). The model of personal identifiable information flow divides function- 
ality into four modules or phases that include entities and processes. 


369 


Creating information 
New personal identifiable information is created at points by proprietors, non- 
proprietors (e.g., medical diagnostics by physicians) or deduced by someone 
(e.g., data mining that generates new information from existing information). 
The created information is utilized for such purposes as decision making, is 
collected, or it is immediately disclosed. 

In the PII creation phase, we distinguish among three types of personal 
identifiable information: 


(a) Processable Personal identifiable information: Processable information 
is information in a representable, realizable and movable form that can be repli- 
cated and exists separately from its source. The notion of “processability” here 
focuses on structured information in an appropriate format. The creation of 
personal identifiable information requires that its content comes in a useable 
form such as a linguistic expression, photograph, a line in a web page, a news- 
paper headline, and recorded words from a speech and the like. The process- 
able PII then exists separately from its creator and waits to be copied, 
“gathered” by others, or disclosed to someone, thus becoming an item in the 
flow of information. This type if information is important in our development 
of a firmer definition of personal identifiable information privacy. It is almost 
natural that people watch other people; however, it is unusual that people cre- 
ate personal identifiable information about other people. So when we propose 
later to restrict creating processable personal identifiable information, this pro- 
posal would sound more acceptable as a form of controlling other people’s ac- 
tions. The “processability” of personal identifiable information is a 
characteristic of information generated by many types of acts. For example, 
telephone tapping or wiretapping is often accomplished by means of recorded 
data. 
(b) Unprocessable personal identifiable information: Unprocessable infor- 
mation is raw information in unusable form. For example, personal identifiable 
information that is spoken but not recorded is non-capturable, non-preservable 
and non-processable. It vanishes as waves in the sea without leaving a tangi- 
ble trace. “Much off-hand exchange is easily forgotten, and one may count on 
the obscurity of his remarks, protected by ... the listener's inability to refor- 
mulate a conversation without having to contend with a documented record” 
(Harlan J., dissenting in United States v. White). The flow model requires per- 
sonal identifiable information that circulates through its modules. 
(c) Un-realizable personal identifiable information: This includes formless 
personal identifiable information such as thoughts and feelings. 

Hereinafter we will refer to processable personal identifiable information 


370 








as merely personal identifiable information. Furthermore we reserve the term 
personal identifiable information privacy to any act that involves processable 
personal identifiable information. Our purpose is to carve out of the fuzzy ge- 
neral concept of privacy the firmer notion of PII privacy and apply it to free 
speech. This does not mean that unprocessable PII and un-realizable PII are not 
important to study and analyze. 

In this paper we concentrate on the first type of PII: processable perso- 
nal identifiable information. With regard to processable/unprocessable infor- 
mation, we notice that the distinction of acts based on the form of information 
appears in several areas. For example, the legal term “libel” is described as de- 
famatory written communication, while slander is oral. It can be speculated 
that such a distinction came from an era in which the common permanent me- 
dium for creating information was writing. The modern achievement of the 
permanence of the written and spoken word may explain why some jurisdic- 
tions group slander and libel together. 


Gathering personal identifiable information 

Existing personal identifiable information is gathered either after creating it or 
after disclosing it. For example, whenever gathering information, either it is 
gathered from someone who has created it (in text, photographic forms, etc.) 
or it is gathered from a source that is not necessarily its creator. Notice that 
one application of our model is that privacy rules and guidelines can be spec- 
ified according to different phases of the PII flow. For example, the minimal- 
ity principle of the Fair Information Practices is applied in the gathering phase. 


Processing of personal identifiable information 

This function involves acting (e.g., storing, data mining, marketing) on PII for 
whatever purpose it is collected. For example, building into the system the 
ability to challenge the accuracy, completeness, and updatability of the stored 
data (e.g., as required in the EU 1995 privacy directive) is a way of process- 
ing personal identifiable information. The creator, gatherer, and possessor of 
PII can be the same entity. 


Disclosing personal identifiable information 
This function involves releasing PII to insiders or outsiders. For example, this 
function is concerned with access control/security of PII. 

Next we concentrate on creating PII. We show that distinguishing be- 
tween creating personal identifiable information and gathering, processing, and 
disclosing, has significant importance in the alleged conflict between infor- 
mational privacy and free speech. 


371 


4. Creating personal identifiable information 


Information collection presupposes the creation of processable personal iden- 
tifiable information. The creation of PII involves “bringing into permanent ma- 
terialistic form” (e.g., speech, print, image) the information that did not exist 
before. Permanency here means the ability to replicate the information into its 
exact form as in the cases of recording conversations, and photographs. We 
exclude here, for example, dinnertime conversation of unprocessable PII since 
it usually does not involve propagation of an exact copy of the original infor- 
mation. As Warren and Brandeis described this difference as “personal gossip 
attains the dignity of print” (Warren & Brandeis, 1890). Peeping through win- 
dows and gossiping about it is not in the domain of personal identifiable in- 
formation privacy because the act does not involve creating information. 

Kang (1998) considers “keeping the fact of pregnancy to oneself ... 
away from familial or societal censure necessary for decisional privacy— e.g., 
to choose whether to have an abortion” as an instance of information privacy. 
In PII privacy, if the “fact of pregnancy” is not recorded in any form and ex- 
ists only inside the mind of the woman, then it is not processable personal iden- 
tifiable information. However, the medical records of pregnancy are such 
information. In separating privacy of personal identifiable information from 
the un-formalized situations such as gossiping and oral unrecorded interac- 
tions, we can formulate more rigid rules that are applied to privacy of personal 
identifiable information. However, this does not mean that “non-identifiable in- 
formation but still privacy-related situations” are not important. It is a “differ- 
ence between someone glancing into your window and setting up a 
24-hour-a-day videotaping post across from it. Both acts violate privacy on a 
basic level, but only the latter is truly invasive” (Karas, 2002). In our case, any 
videotaping is a creation of PII. 

At the creation phase, PII is created directly by proprietors, non-propri- 
etors, or indirectly by processing existing information to deduce new personal 
identifiable information. At the creation phase the created PII can be used by 
its creator (e.g., to make a decision). For example, PII of a proprietor writing 
his/her diary never reaches the collection phase and the information is used by 
him/her (e.g., remembering, reminding). Alternatively, the created information 
can be immediately collected and used in the gathering phase. For example, a . 
surveillance machine creates AND collects PII (e.g., photographs). Or, the cre- 
ated PII is immediately disclosed to someone else (e.g., by filling out an ap- 
plication), thus, whoever is “disclosed to” becomes a gatherer (point 7) of PII. 

In this paper we concentrate on the creation phase because it is impor- 
tant for our thesis: restrictions on the creation of personal identifiable infor- 


372 








mation are necessary for free speech. This thesis concerns only personal iden- 
tifiable information created by other persons. We can also include here per- 
sonal identifiable information created by its proprietor. 


Creating and Gathering 
Not every act of creating personal identifiable information is gathering as in 
the case of keeping a diary. Creating one’s own personal identifiable informa- 
tion is a PII privacy act, even if the information is never used beyond that. In 
George Orwell’s 1984, the mere creation of personal identifiable information, 
such as writing a diary, is punishable by death or at least by twenty-five years 
in a forced-labor camp. 

When we distinguish creating from collecting personal identifiable in- 
formation, we allow four ways of dealing with that information: 


(a) Generating informal off-hand PII. 

(b) Creating PII without the notion of gathering (writing own diary). 
(c) Creating AND gathering PII simultaneously. 

(d) Gathering PII without creating it (e.g., buying it from others). 


These levels give us more flexibility in designing different rules at different lev- 
els. The creating notion is applied to non-proprietors creating of PII. We focus 
later on (c) to wrest PII privacy from free speech. The issue is not Volokh’s 
“right to stop people from speaking about you” (Volokh, 2000), rather it is the 
right to stop people from creating PII about you. 


The creation of personal identifiable information may be incited either 
by the proprietor or by information gatherers/processors. Public nudity is not 
in the domain of personal identifiable information privacy until someone 
(maybe the proprietor him/herself) creates a processable version of it (e.g., 
photograph, linguistic description). This fine discretion affects many notions. 
For example, privacy consent (e.g., see me nude) is different from informa- 
tional consent (e.g., creating personal record of my nudity). Thus, it makes 
sense that a streaker exposes his “non-informational privacy” based on 
anonymity (no one in the crowd knows him) while he objects to creating per- 
sonal identifiable information record of the event because it identifies him 
uniquely. Revealing or exposing oneself is different from creating personal 
identifiable information. 


Surveillance and creating/ gathering Phases 

To illustrate the difference between the creating/gathering phases and the pro- 
cessing/disclosing phases, consider the issue of surveillance. PII surveillance 
is a way of creating personal identifiable information that is characterized by 


373 





a continuity of the creating, collecting, processing and disclosing of informa- 
tion, focusing on a certain person with the objective of spotting/mining cer- 
tain PII to be used for some purpose as decision making. 

Outdoor surveillance cameras are information creation and gathering 
machines. The surveillance issue is centered on utilizing them not to gather in- 
formation, but rather, the concern arises when they are used in the processing 
and disclosing phases. Some people claim that, conceptually, there is no dif- 
ference between an outdoor surveillance camera in the park and what people 
across the street can see. This is not exactly correct since the cameras are cre- 
ating and gathering information while passers-by or onlookers are not. The 
analogy between these cameras and people across the street is. correct if the 
people across the street are writing descriptions and sketching the people in 
the park. The privacy concern arises when the people across the street process 
the descriptions and sketches to identify certain people in the park and disclose 
these written descriptions and sketches of identified persons to other peo- 
ple/agencies to create records of personal identifiable information about them. 
In other words, the analogy between these cameras and people across the street 
holds when these people across the street are detectives. Outdoor surveillance 
cameras can act as people across the street or they can act as detectives. They 
become detectives when they are converted from information creation/gather- 
ing machines to PII creation/gathering/processing/disclosing machines through 
connections to computers or manually processing/disclosing the PII. In this 
case the processing phase includes face-recognition, indefinite storage, and 
profiling by merging the data with other databases. The objection to this tech- 
nology is not to the information creation/gathering aspect but to its misuse as 
Orwellian machines. This aspect comes from the processing and disclosure 
phases. It is reasonable to use outdoor surveillance cameras as machines that 
create and collect information about the situation in the park, and then auto- 
matically destroy the collected information after a retention period if no ex- 
ceptional event (e.g., crime) has occurred there. Cameras in shops are installed 
in such a way that an observer could watch the shelves. These usages exclude 
the processing and disclosing phases. Similarly, the red light cameras are ba- 
sically creating/gathering machines because the collected information is only 
processed to identify those cars that run the red light, while other information 
is destroyed automatically. 

This distinction between being seen by people across the street and ob- 
served by surveillance agents is a refinement of Wasserstrom’s notion of ob- 
servation that “hinders the construction of deep social relationships” 
Wasserstrom (1978), Kang (1998) and Benn (1984) have also observed this 
difference between casual observation and surveillance, but they did not relate 


374 








it to the difference between PII as we defined it and non-informational privacy. 


Creating and Disclosing 
The processing and disclosing of personal identifiable information occurs if 
that information already exists in some form (linguistic, digital, pictures), while 
creating PII occurs where no such information existed previously. Thus, the 
U.S. military’s “Don’t ask, don’t tell” policy prevents a gay male or lesbian 
from creating information (filling in forms) about his or her homosexuality, 
not from disclosing it. This is an important distinction because restricting the 
disclosure of information is usually counted as restriction of free speech, while 
creating personal identifiable information may not be, as we will show later. 
The distinction between creating and disclosing personal identifiable in- 
formation can explain several notions. Consider the child pornography laws 
that are, first, laws against the creating -not disclosing- the pornographic ma- 
terials because children are not capable of giving appropriate consent to the 
creation of such materials. We propose that the United States Supreme Court 
rejected restrictions on virtual pedophilia, simply because it does not involve 
the creation of child pornographic materials. The issue of child pornographic 
materials is a PH privacy issue related to the incapability of children to give ap- 
propriate consent, while virtual pedophilia pertains to the privacy of personal 
non-identifiable information. 


The creation of PII and processing/disclosure phases 

The relationship between creating/gathering PII on one hand and process- 
ing/disclosing PII can be illustrated through the following scenario from Kang 
(1998): 


Imagine that a psychiatrist publishes verbatim counseling notes in a best- 
selling book, but in a way that the specific identity of the patient cannot 
be determined. If the patient protests at having her story chronicled in ag- 
onizing detail to the public, could the good doctor respond that because 
the information is not identifiable to the specific patient, even with ad- 
ditional research, it is not “personal information”? 

The crucial point here, however, is not the substantive judgment about 
whether the patient’s privacy was violated; instead, the essential insight 
is that this type of fact-pattern presents an authentic, if unusual, privacy 
problem, which cannot be dissolved by wordplay. Cf Doe v. Roe, 400 
N.Y.S.2d 668 (N.Y. Sup. Ct. 1977) (finding a breach of implied contract 
between psychiatrist and patient). 


But, this type of fact-pattern is described in our model as creating personal 
identifiable information. During the treatment, the psychiatrist created and 


375 


gathered personal identifiable information, and then processed it and disclosed 
it. The patient did not create personal identifiable information, but implicitly 
or explicitly gave her consent to create and gather it during treatment sessions, 
and she never gave her permission to proceed in the PII flow to the processing 
and disclosing phases. It is clear from the flow of information model that the 
psychiatrist processed the information to anonymize it and also disclosed the 
result to others. Should there be a rule that controls created PII in certain con- 
text (e.g., psychiatric treatment)? This control extends by implication to gath- 
ering PII because others create the PII. If there is such a rule, then it is different 
from processing and disclosure-related rules that are concerned with existing 
personal identifiable information such as disclosing materials in a diary. 

In these circumstances, the patient can claim that at the creation phase 
of PII, being spontaneous, she has less control over the generation of un- 
processable information from which the psychiatrist created PII. According to 
the U.S. Supreme Court, “words would be measured a good deal more carefully 
and communication inhibited if one suspected his conversations were being 
transmitted and transcribed” (Harlan J., dissenting in United States v. White). 
We add that words are even more carefully measured if the person suspected 
that his conversations were being transcribed for the purpose of process- 
ing/disclosure. Suppose that the patient had written (created) her feelings and 
given the writing to a reporter who disclosed the anonymized writing to the 
public. This case is different because the patient created her PII while the re- 
porter was only a gatherer (may also be a processor) of PII. 


Processing/disclosing PII and casual observation 


Consider the following scenario by Kang (1998): 


A general law governing the flow of all personal information, regardless 
of its connection to cyberspace, would constrain too often even casual 
observation [Italic added]. That is because information collected through 
real space is comparatively less specific, less computer-processable, less 
linked to a unique identifier of the individual, and less permanent. ... 
Suppose I meet Jane at a party and see her wearing a smart silk scarf, 
which I later note in my spiral notebook. The next day, in conversation 
with a friend, I mention my having met Jane and relay what she wore. 
Because I am processing personal information descriptive of Jane, an 
unprocessable privacy law that knew no cyberspace boundary might 
apply to what I wrote in my journal and what I said to my friend. But 
should Jane have control over what is written in my journal even if it 
does concern her? If she asked me to delete it, I would not feel any ob- 
ligation, besides courtesy, to obey. ... By drawing some cyberspace/real 
space boundary, we substantially decrease regulation of “casual obse- 
rvation.” 


376 








In this scenario, only the note in the notebook is of concern for personal 
information privacy since, in this case, the person did create and gather per- 
sonal identifiable information about Alice. The general law governing the flow 
of all personal identifiable information can be applied to the processing of 
what he wrote in his notebook such as making copies of it and distributing it 
to others. In this case, Jane can claim that his acting on her personal informa- 
tion is no longer solely of concern to him. In our information flow model, the 
same law regarding the processing of PII can be applied in cyberspace and re- 
ality. Casual observation does not apply to processing/disclosure of PII as we 
defined it. Our discretion of information flow into four phases and limiting the 
definition of PII to processable PII makes it possible to apply rules uniformly 
to different domains. 


5. Creating Information and Free Speech 


In this section we return to the collection of personal identifiable information 
and free speech. Bronski (2000) states that “[a]rguing for privacy is always de- 
fensive, never fully assertive.” We argue assertively that unrestricted creation 
of personal identifiable information by others may restrict free speech. In other 
words, restricting the creation of personal identifiable information by others 
may enhance free speech. Since gathering personal identifiable information 
depends, to a great degree, on creating it; this argument affects the gathering 
of personal identifiable information. 

Consider the issue of a proprietor’s control over other people’s actions 
on his/her personal identifiable information. The question can be greatly sim- 
plified if we identify the part of the model where the claim for control is ap- 
plied. Is it in the creating, gathering, processing, disclosing phases, or is it in 
other secondary acts such as processing in the form of data mining? At this 
point we ought to remember that non-processable personal identifiable infor- 
mation privacy is not under consideration here. Thus, an absolute bar on 
sodomy is not a matter of personal identifiable information as long as it does 
not involve the creation of personal identifiable information. Suppose that the 
persons involved recorded the act in some form. Here, we move to the terrain 
of personal identifiable information privacy. In ancient Sodom, the act is legal; 
however, the legality of creating, gathering, processing, and disclosing the 
record of such an act is another issue. 


“Control” of personal identifiable information can be classified ac- 
cording to the four phases: 


(a) Control of others’ creating of PII: This issue is directly related to free speech 


since the proprietor wants to have power over what others say. 
(b) Control of others’ gathering of PII: This issue is indirectly related to free speech 


377 


since the others can say whatever they want. 

(c) Control of others’ processing of PII: This issue is indirectly related to the issue 
of free speech since the others can, again, say whatever they want. 

(d) Control of others’ disclosing of PII: This issue is directly related to free speech 
since the proprietor wants to have power over what others disclose. 


Next we claim that restricting others’ creating of personal identifiable in- 
formation ((a) above) may enhance free speech. “Others” here refers to other 
persons. According to Volokh (2000), “the analysis of restrictions on informa- 
tion gathering is different from the analysis of restrictions on speech (Houch- 
ins v. KQED, Inc., 438 U.S. 1, 12 (1978)). However, he does not distinguish 
between creating and gathering of PII. 

Consider the case of the Beckhams, the famous British football player 
and his pop star wife (BBC NEWS, 2005). The couple sought an injunction 
in the High Court to stop a newspaper from printing articles about their mar- 
riage that contained allegations by their former nanny that she witnessed a se- 
ries of rows between the celebrity couple. The couple's lawyers had argued 
that the nanny's contract had included a promise not to speak about the couple's 
private lives. The judge ruled in favor of the newspaper on the grounds that the 
story was in the public interest. According to the article, “In 2003, the Law 
Lords established that there is no ‘freestanding’ right to privacy in English law. 
Instead, those celebrities who go to the courts to protect their privacy [...] have 
to bring their case under other types of action, such as breach of confidence.” 

We notice that it is reported that the nanny kept a diary during her time 
with the Beckhams. This is a creation of the Beckhams’ personal identifiable 
information. Assume that such an act is protected by free speech because as 
typically said, “a person should be able to decide for herself what to say.” This 
corresponds to the claim that a person’s expressive autonomy is to be “free to 
listen and observe in places where she has a right to be and among people with 
whom she has a right to interact in order to learn more and then speak about 
it” (Baker, 2004). 


[A]utonomy identifies the person with agency, with action, and with the 
possibility of choice. ... This perspective accords, I think, with the view 
of Justice William J. Brennan, who, after asserting that “freedom of 
speech is itself an end,” went on to say that “freedom of speech is . . . 
intrinsic to individual dignity,” ... This identification of the person with 
activity is not the only one possible. Warren and Brandeis characterized 
the privacy that they defended as based on the principle of “an inviolate 
personality.” ... Essentially, favoring “choice” over “personality” priv- 
ileges a view of the fundamental aspect of personhood as an activity 
rather than something static. To assert as basic a person’s right to have 
a characterization of her personality unchallenged by others’ expression 


378 








is an assertion of power over others—in practice over their speech 
choices but in ambition over even their mental views. 


Now, apply this line of reasoning not to the nanny but to the Beckhams. Can 
they record the daily life of the nanny as a form of free speech? To generalize 
the case, assume two persons, X and Y, living in one house where each person 
is continuously documenting the daily life of the other. According to the above 
argument, creating and recording the PII in this case is a form of a person’s ex- 
pressive autonomy to be “free to listen and observe in places where she has a 
right to be and among people with whom she has a right to interact in order to 
learn more and then speak about it.” Such activity enhances free speech of X, 
as shown in the dotted lines in Figure 1. X creates and collects PII about Y, 
which enhances X’s free speech. Nevertheless, this creation and collection of 
PII of Y is a type of restriction on the speech of Y. Being constantly watched 
by X in how he/she acts (e.g., expressing self through writing on his/her com- 
puter), is a type of censorship. 


X creating and collecting personal information about Y 


~ m n m n a ae 


ra DA 
I t 
wg gt 
Free speech #------- nies Ror =--> Restricted speech 
of X of Y 





Figure 1: Reciprocal relationship between creating PII and free speech. 

A similar situation occurs in the shadowed half of Figure 1 where Y is 
the one who creates and gathers information about X. Each person exerts con- 
trol over the other’s free choices by watching the other person and recording 
his/her activities. We mentioned that we are concerned only with personal iden- 
tifiable information created by other individuals and also personal identifiable 
information created by its proprietor under various forms of gathering infor- 
mation practiced by others. For example, the Beckhams can make the nanny 
create personal identifiable information about herself through questioning and 


379 





probing. The situation is worse than Jeremy Bentham’s concept of the Panop- 
ticon since is does not involve only constant surveillance but also constant re- 
cording of such surveillance. Notice that our definition of PII surveillance is 
limited to recorded activities; however, recording a person’s activities implies 
watching and listening. The privacy harm of this type of situation impedes per- 
sonal activities. Each person will try to shield himself from the other person. 
It “threatens not only to chill the expression of eccentric individuality, but also, 
gradually, to dampen the force of our aspirations to it” (Cohen, 2000). This 
simply limits a person’s freedom, including freedom of speech and expression. 

Consider the opposite case, where creating personal identifiable infor- 
mation about others is absolutely prohibited. This leads to a situation where 
material containing personal identifiable information does not exist. The span 
of the prohibited acts is the recorded activities. This is the case in most of 
human history (and in some current isolated societies) before inventing any 
kind of codes or symbols where people do not exchange any kind of PII. Free 
speech about unprocessable personal identifiable information is untouched by 
such a rule. Even, gossip is possible in this society as long as the content of gos- 
sip is not recorded in any form. 

Consider again the first situation where everyone creates processable 
personal identifiable information about everything that other people do. The 
span of the permitted acts covers every aspect of life of the persons, thus such 
a situation has far more effect on society. Even in the Orwellian society, only 
important acts are recorded. It seems that such a general, comprehensive situ- 
ation of recorded surveillance has neither existed nor even been imagined in the 
history of man. 

We have reached the conclusion that restrictions on creating/collecting 
of personal identifiable information are more tolerable than unrestricted cre- 
ating/collecting of PII. Such a conclusion encourages asserting that PII privacy 
protects more than restricts free speech. Additionally, PII privacy does not 
lead to invisibility (look at man’s history), and it is not inconsistent with a per- 
son’s expressive autonomy or in contradiction with the right of free speech 
about others. 

In general, a balance between free speech and PII privacy can be achie- 
ved. Instead of Alexander Hamilton’s saying: “[t]o be more safe, they [people] 
at length become willing to run the risk of being less free” (Federalist Paper 8), 
we claim that “to be more free in speech, people ought to become willing to be 
less free in intruding on personal identifiable information privacy.” This means 
that restrictions on the creation of personal identifiable information by other in- 
dividuals are necessary for free speech. 

According to Volokh (2000), for PII speech restrictions, “existing First 


380 








Amendment precedents would have to be substantially stretched ... the stret- 
ching may make the doctrine loose enough to give new support to many other 
restrictions.” Volokh gives the following example of stretching: Bans on se- 
xually-themed speech might become justified. Our argument is based on the 
claim that: 


(1) Permitting the creation of PII is necessary for free speech. 

(2) Restricting the creation of PII is necessary for free speech. 

(3) Permitting the creation of PII and restricting such creations are neces 
sary for free speech. 


This is also applied to restrictions on creating personal identifiable sexual in- 
formation mentioned by Volokh. We notice that restrictions on this type of spe- 
ech are already available through the invasion of privacy tort. Now we apply 
the same rationale for sexual personal non-identifiable information: 


1. Creation of sexual personal non-identifiable information is necessary 
for free speech. 

2. Restriction on creating personal non-identifiable information is neces- 
sary for free speech. 


Clearly, (2) cannot be claimed based on our thesis. Thus, restricting the creation 
of personal identifiable information cannot be stretched to apply to bans on 
personal non-identifiable sexually themed speech. As we mentioned previo- 
usly, personal (i.e., with identifiable persons) sexually themed speech has al- 
ready been restricted. A similar argument can be applied to other examples in 
(Volokh, 2000). 

The difference between recorded and unrecorded information in the pub- 
lic domain is a known distinction in legal circles (Paton-Simpson, 2000). In 
cases that involve tapping telephones, recording the telephone conversation is 
an indication of “a deliberate eavesdropper” (United Kingdom: Francome v. 
Mirror Group Newspapers Ltd, 1984). 

In a legal case, a photographer snapped a picture of a woman with her 
dress blown up by the air jets at the County Fair (Daily Times Democrat v. 
Flora Bell Graham). The court determined that to take a person's photograph 
without consent in public is not an invasion of the right of privacy. It is rea- 
soned that: 


On the public street, or in any other public place, the plaintiff has no 


right to be alone, and it is no invasion of his privacy to do no more than 
follow him about. Neither is it such an invasion to take his photograph 


381 





in such a place, since this amounts to nothing more than making a record, 
not differing essentially from a full written description of a public sight, 
which anyone present would be free to see. (Supreme Court of Alabama, 
1964). 


We can see here the mixing of “free to see” (unprocessed information) and 
“free to record” (processed information), and between “a full written descrip- 
tion of a public sight” and creating personal identifiable information (identifi- 
able person). McClurg (1995) points out that a photograph intensifies invasion 
of privacy since it is a permanent record, which allows intrusive scrutiny to be 
extended indefinitely and the potential to freeze-frame an embarrassing mo- 
ment. These are characteristics of personal identifiable information. 

Our approach not only distinguishes informational from non-informa- 
tional privacy-related situations, but also between processable and non-pro- 
cessable information, and creating and gathering information. According to 
our thesis, both restricting and not restricting the creation of personal identi- 
fiable information are necessary for free speech. We concluded that free spe- 
ech requires a balance between these two types of rules. Creating a picture of 
an identified woman with her dress blown up by the air jets is the type of cre- 
ation that needs to be restricted on this ground. 


6. Conclusion 


We have: (a) introduced a refined version of informational privacy: personal 
identifiable information privacy, (b) introduced the notion of processable per- 
sonal identifiable information in contrast to non-processable personal identifi- 
able information, (c) introduced a model of personal identifiable information 
flow that can be used as a base for the analysis of such information, (d) pro- 
posed a distinction between creating personal identifiable information and 
other types of acts on this information, (d) applied these concepts to the con- 
flict between privacy rights and the rights to freedom of speech, and (e) showed 
that restrictions on the creation of personal identifiable information are neces- 
sary for free speech. These contributions can be utilized in further studies of 
privacy theory. Notice that (e) uses an argument that limits the creation of PII 
to persons. 


382 








References 


l. 


11. 


12. 


13. 


17. 


18. 


Al-Fedaghi, S. (2006a, May). Crossing privacy, information, and ethics. Paper pre- 
sented at the 17" International Conference Information Resources Management As- 
sociation, Washington, DC. 


Al-Fedaghi, S. (2006b, April-May). How would Aristotle define privacy? Paper pre- 
sented at the First International Conference on Legal, Security and Privacy Issues in 
IT, Hamburg, Germany. 


Al-Fedaghi, S. (2006c, June). Aspects of personal information theory. Paper presen- 
ted at the 7th Annual IEEE Information Assurance Workshop (IEEE-IAW 2006), Uni- 
ted States Military Academy, West Point, New York. 
http://www. lib.unb.ca/Texts/PST/2005/pdf/fedaghi.pdf 


Al-Fedaghi, S. (2005, month). How to calculate the information privacy. Paper pre- 
sented at the Third Annual Conference on Privacy, Security and Trust, St. Andrews, 
New Brunswick, Canada. 

Baker, C. E. (2004). Autonomy and Informational privacy or gossip: The central me- 
aning of the First Amendment. Social Philosophy and Public Policy 21, 215-68. 
Benn, S. I. (1984). Privacy, freedom, and respect for persons. In F. D. Schoeman 
(Ed.), Philosophical dimensions of privacy (pp. 239-41). New York: Cambridge Uni- 
versity Press. 

Bronski, M. (2000). Two rulings by the Supreme Court last week have strengthened 
our right to privacy. But is that necessarily a good thing? The Worcester Phoenix, 
June 16 - 23. 

Cate, F. H. (1997). Privacy in the information age. Brookings Institution Press. 
Cate, F. H. & Litan. R. (2002). Constitutional issues in information privacy. Michi- 
gan Telecommunications Technical Law Review 9(35), 35-63. 

Cohen, J. (2000). Examined lives: Informational privacy and the subject as object. 
Stanford Law Review 52 (1373), 1391-1402. 

Kang, J. (1998) Information Privacy In Cyberspace Transactions. Stanford Law Re- 
view 50 (1193), 1212-20 (April). 

Karas, S. (2002, Spring). Enhancing the privacy discourse: Consumer information 
gathering as surveillance, Journal of Technology Law & Policy 7(1), 29. 

Lin, E. (2002). Prioritizing privacy: A constitutional response to the internet. 
http://www. law. berkeley.edu/journals/btlj/articles/vol1 7/LIN.pdf 

Marx, G. T. (2006). What’s in a Concept? Some Reflections on the Complications 
and Complexities of Personal Information and Anonymity, University of Ottawa Law 
& Technology Journal Vol 3 No 1. 

McClurg, A. J. (1995). Bringing privacy law out of the closet: A tort theory of liabi- 
lity for intrusions in public places 73 North Carolina Law Review, 989. 
Paton-Simpson, E. (2000, Summer). Privacy and the reasonable paranoid: The pro- 
tection of privacy in public places, University of Toronto Law Journal 50(3), 305- 
346. 

Solove, D. J. (2004). The virtues of knowing less: Justifying privacy protections aga- 
inst disclosure. Duke Law Journal, 53, 967. 

Strandburg, K. J. (2005). Privacy, rationality, and temptation: A theory of willpower 
norms. Rutgers Law Review 57(4), 1237. 


383 








19. 


20. 


21. 


22. 


23. 
24. 


Supreme Court of Alabama (1964). Daily Times Democrat v. Flora Bell Graham, 
March 26, http:/Avww.nsulaw.nova.edu/faculty/documents/graham.pdf 

Volokh, E. (2000). Freedom of speech and information privacy: The troubling impli- 
cations of a right to stop people from speaking about you. Stanford Law Review, 52, 
1559. 

Wacks, R. (1999, September). Privacy reconceived: Personal information and free 
speech. Paper presented at the 21st International Conference on Privacy and Perso- 
nal Data Protection, Hong Kong. 

Wacks, R. (1997). Privacy in cyberspace. In Birks, P. (Ed.), Privacy and loyalty (pp. 
91-112). Oxford, New York: Clarendon Press. 


Warren, S. & Brandeis, L. (1890). The right to privacy, Harvard Law Review 4, 193. 


Wasserstrom, R. (1978). Privacy: Some arguments and assumptions. In R. N. Bro- 
nough (Ed.), Philosophical law: Authority, equality, adjudication, privacy (pp. 148- 
166). Contributions to Legal Studies, 2. Westport: Greenwood Press. 


384 








User Perspective of Privacy in Mobility Pricing Systems: 
A Survey 


Muhammad Usman Iqbal & Samsung Lim 


PhD Candidate [1], Senior Lecturer [2] 
School of Surveying and Spatial Information Systems 
The University of New South Wales 


m.iqbal@student.unsw.edu.au, [1] s.lim@student.unsw.edu.au [2] 


Abstract. Mobility-pricing is one of the avenues leading to the 
‘information highway’. Using a combination of positioning, communi- 
cation and information processing, automobile insurance can be priced 
based on actual mileage of the vehicle. Vehicle’s location is periodically 
and electronically disclosed to a central server for invoice generation. 
This raises the possibility of this data being used to reveal the driver’s 
identity and social activity. Past research has only been speculative of the 
‘motorists’ privacy perspective’. This paper uses mobility-priced insu- 
rance as a case study and reports the results of a survey where respon- 
dents are asked to indicate their preferred trade-off between location 
privacy and the setup costs of a hypothetical mobility-priced insurance 
product. The respondents are also asked about their willingness to reveal 
location information to various social groups as a function of the time of 
day and day of week. It is hoped that the results of this research can be 
used to influence the design of other mobility-based payment systems. 


Keywords: Location-privacy; Mobility pricing; transport surveillance; tracking; ano- 
nymity; Global Positioning System (GPS); telematics 


Introduction 


The automobile has gradually evolved from an analogue machine with mostly 
mechanical and hydraulic components to an electronic system with a growing 
number of computer-based systems. The term ‘Telematics’ is specifically being 
used for the combination of communications, positioning and computing tech- 
nologies on-board the vehicle for improving the safety, security and comfort of 
vehicle occupants. Satellite navigation is becoming increasingly available on 
new mid range car models as standard feature. Likewise, aftermarket Global 
Positioning System (GPS) products are also becoming increasingly affordable. 
This capability enables the use of positioning equipment for other value added 
services. Various services have been proposed, including, emergency response, 
stolen-vehicle tracking and GPS-based road charging (Vidales & Stajano, 2002; 
Zhang, Wang & Hackbarth, 2003). 


385 








Within the realms of this ‘smart car’ revolution, mobility-pricing has 
drawn recent attention. Mobility pricing means that different taxes, levies and 
insurance charged to motorists for using the roads can be priced based on ac- 
tual mileage (Litman, 2001). Various insurance companies now offer products 
that take customers’ mileage into account and offer reduction in premiums 
using GPS and GSM (Global System for Mobile communications) boxes for — 
position determination and reporting (Norwich Union, 2007; Tripsense, 2007). 

While there are apparent benefits in using telematics-driven payment 
systems, the location disclosure requirement raises privacy issues. Travel be- 
haviour profiles of motorists can be generated which can be used to make in- 
ferences about them, without their knowledge or consent. Some privacy 
researchers have tried to address this issue by designing privacy-aware telem- 
atics payment systems (Coroama & Langheinrich, 2006; Iqbal & Lim, 2006). 
These designs, however, have only been speculative of the motorists’ privacy 
preferences. Therefore, it is vital that public opinion is considered as an input 
to the design process of privacy-aware systems. 

This paper uses mobility-priced insurance as a case study and reports 
the results of a survey where respondents are asked to indicate their preferred 
trade-off between location privacy and the setup costs of a hypothetical mo- 
bility-priced insurance product. The respondents are also asked about their 
willingness to reveal location information to various social groups (e.g. fam- 
ily, co-workers) as a function of the time of day and day of week. The results 
of this research can be used to influence the design of other mobility based 
payment systems, e.g. road tax, paid parking, electronic toll collection. Section 
2 presents a background about mobility pricing and its associated privacy is- 
sues. 


Background 
2.1 Mobility pricing and location privacy 


Mobility-pricing of insurance is a new approach to employ location techno- 
logy and customise insurance premiums to more accurately reflect the actual 
risks encountered on-road. This would reduce the cross-financing of high-risk 
drivers by low-risk ones and increase fairness of insurance systems. Mobility- 
pricing systems use GPS logs to calculate the distances travelled on different 
types of roads in order to invoice customers. These GPS logs are disclosed to 
the pricing server using the GSM network. With the current architecture of 
sending GPS logs to a central server, there is a possibility of a range of privacy 
abuses. There would be unintentional transmission of information such as how 
fast do drivers accelerate, how hard do they brake, and how often do they go 


386 








above a prescribed speed limit (Iqbal & Lim, 2007a). Similar data might even 
be used to find the driver’s situation just before a collision. It is also possible 
that these systems may conveniently enable ubiquitous surveillance of any re- 
gistered motorist causing a chilling effect to their privacy. 

These developments, however, have not gone unnoticed from privacy 
researchers. In the context of mobility-pricing, Coroama and Langheinrich 
(2006) implemented a GPS based insurance system where premiums are cal- 
culated on-board the vehicle ensuring privacy of motorists. There is periodic 
transmission of aggregated information to the insurance provider for bill ge- 
neration. Iqbal and Lim (2006) extended this idea further and proposed a GPS- 
based insurance product that preserves location-privacy by computing 
distances travelled on the on-board unit and additionally safeguarded ‘spend- 
privacy’ by proposing smart card based anonymous payment systems. 

As shown in Figure 1, GPS data provides precise time and position in- 
formation. There is a risk of making inferences about individuals based on 
these travel logs, which may be misleading. Iqbal and Lim (2007b) highligh- 
ted these issues by developing an automated profile generation tool that made 
inferences about individuals. They collected GPS data from users representing 
different communities at the university campus ranging from academic and 
support staff, to postgraduate and undergraduate students. They demonstrated 
that various inferences can be made about these individuals based on their GPS 
data. They inferred home addresses, the university subgroup the volunteer re- 
presents (staff, student, etc) and the on-road travel behaviour of these indivi- 
duals. These inferential privacy threats are further exasperated by the 
possibility of this data being used to calculate an individual’s actual risk-expo- 
sure and future premiums without users’ explicit knowledge or consent. 


2.2 Related work 


Within the realms of location-privacy, various surveys have been conducted 
to seek an understanding of how much users value their location information. 
Some studies sought to determine the monetary value that would attract a per- 
son to disclose his/her location information while other studies focused on the 
social relations that people would be comfortable in disclosing their where- 
abouts to. 

Danezis et al. (2005) conducted an experiment with undergraduate stu- 
dents at a university campus where they explained the potential respondents 
that their mobile cell location information would be used for a period of 28 
days at a 500m resolution in exchange for financial incentives and selection of 
candidates would be based on a reverse auction sequence. Potential respon- 
dents were asked to go online to a portal and make their bids about how much 


387 


compensation they expected to disclose their location data for the length of the 
required study. The bids ranged from £0 - £400 with a mean value of £27. This 
study provides a measure of personal privacy although this value may be a 
lower bound on the value of user’s location information as a typical under- 
graduate student may have a greater desire to sell his/her information at a 
cheaper price than the general population. 

Barkhaus and Dey (2003) also conducted a series of experiments in an 
attempt to gauge how students rated ubiquitous services for usefulness and in- 
trusiveness. Four hypothetical services, among which two were location-track- 
ing and the remaining two position-aware, were provided to the users for use 
on their mobile phones. Position-aware services computed the position on the 
mobile phones independent of the network, while the location-tracking serv- 
ices notified an interested party once the user’s mobile phone was within a pre- 
defined region. Interviews conducted with the participants revealed that people 
were more concerned about being tracked than when their mobile phone re- 
acted to a change in location. Nearly one-third of the participants said that they 
would never use location tracking applications because of their intrusive nature. 

The aforementioned studies demonstrate that research has yielded im- 
portant results in understanding user perception within the spectrum of loca- 
tion-privacy. However, not much work can be found in the current literature 
which incorporates user opinion in the design of ‘privacy-aware location tech- 
nology’. This paper is an effort to understand user perspectives when it comes 
to designing privacy-aware solutions. 


Survey 


An online survey was conducted to gauge user opinion in the design of a hy- 
pothetical insurance product with inherent privacy-protecting features. Re- 
spondents were asked to indicate their preferred trade-off between location 
privacy and the setup costs of this system. This survey seeks to understand 
only the ‘trend in privacy vs. cost’ that respondents make, rather than explor- 
ing actual setup costs. The survey also seeks user opinion in their willingness 
to reveal location data to different social networks as a function of time of day 
and day of week. The results of these preferences can be used to customise pri- 
vacy middle-ware, e.g. in case of an emergency or accident, the middle-ware 
would know who to disclose the location/position data to. 


3.1 Methodology 


The survey was available online which allowed participants to complete it in 
their own time, in a place of their own choosing. The user responses were 


388 








stored in a relational database and were completely anonymous. Upon com- 
pletion of the survey, analysis of this data was performed using a well-known 
statistical analysis package, SPSS 10.0, and the hypotheses were verified by ap- 
plying various statistical tests. Before respondents take the survey, they are 
presented with a small animation in an effort to increase their understanding of 
the benefits and threats of location technologies. Participation to this survey 
was completely voluntary and no compensation was offered. The survey took 
about 14 minutes to complete. It was refined through several iterations of pilot 
testing and critique. 


3.2 Video clip 


A video clip is presented to the participants as a survey introduction (Iqbal & 
Lim, 2007c). This clip aims to provide the respondents a background in order 
to reduce any biases that they may have about telematics and location-privacy 
by presenting scenarios depicting positives of the technology as well as po- 
tential abuse (see figure 2). The video starts with the GPS satellite constella- 
tion revolving round the earth. The satellite signals then propagate onto the 
surface of the earth where a vehicle, fitted with a GPS based telematics system, 
receives the signals to position itself on the road and report its location to a 
telematics call centre. In the same scene, the vehicle is involved in a collision. 
The call centre receives a notification of air-bag deployment on the vehicle 
and its last position. The call centre then dispatches emergency personnel to the 
accident site. This scene acknowledges the safety-of-life advantages that can 
be brought about using telematics systems. 

On the abuse side, the video clip displays a potential attacker’s hideout, 
where continuous tracking of target individuals is being performed. Retro- 
spective analysis of collected data is performed and is presented on the screen. 
Information like average and instantaneous speed, preferred routes to different 
destinations, residential addresses, and driver’s road behaviour are covered. 


3.3 Population 


Participants are recruited by circulating advertisements via email on various 
web-based mailing lists, of the school and industry. Population included aca- 
demic members, undergraduate and graduate students, members from the in- 
dustry and consulting. The invitation email contains a brief description of the 
survey, and the web-site Uniform Resource Locator (URL) to the home page 
of the survey. The aim was to collect at least 100 responses of adults over the 
age of 18. The data from this survey represents the opinions of 133 respon- 
dents, almost half of which (49%) came from the 26-32 age group. 17% of the 


389 





respondents do not drive a vehicle or have a licence to drive a vehicle. The 
participants were diverse with respect to profession, and the occupations ranged 
from business-men to engineers, but information technology professionals are 
over-represented at 54% of the sample. 

A non-probability sampling technique called the ‘convenience model- 
ling’ is used in this research, which means the survey is based on self-selection 
of respondents. With internet-based surveys, the common criticism is that they 
are not adequate for general population surveys. The criticism is well-founded, 
but this does not mean that internet survey results are of no value. A survey con- 
ducted by the Australian Bureau of Statistics of adults with access to the in- 
ternet in Australia concludes that web users are generally young, highly 
educated professionals (ABS 2000) as evident from this survey’s sample space 
too. It is acknowledged that the survey sample here is not truly representative 
of the wider community, but as telematics become largely available, and more 
people start using it, it is expected that their privacy preferences would closely 
match that of the sample population of this survey. 


3.4 Questionnaire 


Once the video clip ends, survey respondents are provided with a link to pro- 
ceed to the questionnaire. The respondents are asked to provide personal in- 
formation including age, gender, profession, type of licence, and type of vehicle 
they drive in an effort to determine demographics for the further questions. 
The null hypothesis postulated assumes there is no correlation between the 
choice that individuals made about privacy features and their demographics 
which would be later tested in the results section. Section 2 of the survey is de- 
signed to gauge the interest of respondents in acquiring GPS navigation de- 
vices for their vehicles, and to test if they have adequate understanding of its 
use. Section 3 contains of one of the most important questions of this survey, 
which was to probe respondents’ attitude in their choice when it comes to pri- 
vacy-aware systems vs. costs of maintaining privacy. The idea here was to find 
out if users were keen on acquiring highest privacy regardless of the costs in- 
volved, or moderately rated privacy threats. Section 3 explores location dis- 
closure to social networks. Respondents were asked to reflect upon who they 
felt should access their location information during different times of the day, 
e.g. during working hours or after hours or weekends. 


390 








Results 
4.1 Telematics and GPS 


In order to ascertain the importance of conducting privacy research in telema- 
tics, respondents are asked if they would be interested in acquiring GPS devi- 
ces and telematics services for their vehicles. When asked if the respondents 
would be interested in purchasing a satellite navigation product for their ve- 
hicle, 17% responded that they would purchase one in the near future, while 
42% responded that they would buy one if the prices drop significantly. 26% 
said they were not interested in acquiring such a product in the near future 
while the remaining said they were not interested at all, Therefore more than 
half (60%) said they would consider buying a GPS navigation device sooner 
or later. 

Similarly, when the respondents were asked if they would be interested 
in accessing telematics services, more than half (56%) responded that they 
would subscribe to the freely available services, while 25% were even willing 
to subscribe to the paid services. This demonstrates that there is a potential 
market for telematics in the imminent future, as more than 81% respondents 
were interested in telematics. Only 7% of the remaining respondents said they 
would not subscribe due to driver-distraction issues, while the 11% responded 
that they were not interested in any telematics services. 

Therefore, this interest from respondents justifies investigation of pri- 
vacy issues in telematics, so that privacy is a design feature of future telemat- 
ics services, not just an ‘after-thought’. 


4.2 Privacy-aware insurance design 


An important question of this survey is related to mobility-pricing, and pri- 
vacy. Respondents were given an explanation of GPS-based insurance and its 
potential benefits of increasing fairness for premium calculations. At the same 
time, the survey also mentioned the potential threats related to location dis- 
closure. Respondents were asked what option they would choose if new pri- 
vacy preserving insurance products are on the market. The following options 
are listed in the survey to determine user opinion, 


+ Fairer premiums, highest privacy but higher setup costs 

e Fairer premiums, moderate privacy but with medium setup costs 

e Fairer premiums, lowest privacy and lowest setup cost 

e Not interested due to privacy reservations 

e Not interested, as J am happy with current insurance arrangements 


391 





Consistent with Westin's (1991) conclusion on online privacy attitude, 
there was an apparent grouping of the population’s subset that chose one of 
the first three privacy-aware options (see figure 3) and can be divided into three 
broad categories respectively. There is a privacy fundamentalist minority of 
11% who are willing to pay the highest infrastructure costs to maintain the 
highest privacy followed by a pragmatic majority of 28% who are satisfied 
with moderate privacy if they are required to spend a moderate setup cost. Fi- 
nally there is a marginally concerned minority of 12% who are not concerned 
with their privacy and opt for lowest setup costs, i.e. existing mobility-pricing 
offerings. Other significant subgroups which do not choose any form of GPS- 
based insurance due to privacy issues with such insurance (23%) or are satis- 
fied with their existing insurance arrangements (19%). 


4.3 Location disclosure to social networks 


The last section of the survey aims to ask respondents who would they com- 
fortably disclose their locations at different times of days. Five groups of peo- 
ple, namely, employer, peers, friends, family, and three types of time periods, 
namely, working hours, after hours, and weekends are identified. The major- 
ity of the respondents agreed to disclose their location to their family (or sig- 
nificant other) at all times. In case of location disclosure to friends, the response 
was almost balanced with a slight inclination towards the willingness to dis- 
close location to friends. More importantly, and interestingly, the majority of 
respondents did not prefer to disclose their location information to their em- 
ployers, peers at work, and team (who they supervise) during working hours, 
after-hours or weekends. 

During the design phase of the survey, it was predicted that there may 
be a correlation between the choice that respondents make about privacy-aware 
GPS-based insurance and the access to their location they provide. Bi-variate 
analysis between ‘people choosing a form of GPS-based (highest privacy, mod- 
erate privacy or lowest setup cost)’ and ‘location disclosure based on relation- 
ship and time’ reveals a significant relationship. There appears to be a positive 
correlation (Pearson Chi-Square, significant at the .001 level) between the peo- 
ple choosing insurance that is capable of tracking people and the choices those 
people make to disclose their location information. In summary, what this 
means is that people who opt for any type of GPS-based insurance would most 
certainly only disclose their location to their families. 


4.4 Demographics and rewards programs 


Past survey based research has indicated that there is a relation between de- 
mographics and the importance people place on their privacy (Westin 1998). 


392 








With the aim of verifying this attitude, the survey asks respondents to provide 
demographics data including age and gender, among other variables. Bi-vari- 
ate analysis using Crosstabs in SPSS lead to a positive correlation between 
gender and subscription to rewards programs. There appears to be a weak re- 
lationship between the two (Chi-Square statistics significant at the 0.05 Level). 
Survey results suggest that the female populace is more careful of privacy 
abuse and value their privacy more even if financial or other incentives like re- 
wards programs are offered (see figure4). Furthermore, this relationship is con- 
sistent with Westin’s findings who suggested a relationship between 
demographics and the level of online privacy concerns of respondents. Anal- 
ogy can be drawn with his findings where he suggested that women expressed 
higher levels of concerns on every privacy-related issue about which they were 
questioned. The bar-chart in figure 4 reveals that females censure incentives 
like rewards programs in exchange for location disclosure more then their male 
counterparts. 


Discussion 
5.1 General 


In the past, road travel used to be an anonymous experience, where the only 
possible way of tracking an individual was through physical surveillance. The 
systematic monitoring of public places has provided the opportunity of a ubiq- 
uitous surveillance system. While it is generally accepted that individuals 
should not expect similar privacy protection in public places as they would ex- 
pect in their private spaces, these location identification technologies raise 
grave issues such as what expectation of privacy an individual in public places 
should have. 

While technological developments have made mobility pricing a reality, 
the privacy issues associated with such technologies raise concerns. It is criti- 
cal to incorporate public opinion in the design process of such technologies to 
assuage any social issues that may arise in the future and cause public dispel. 
The authors believe that the results of this survey would provide a critical input 
in the design of privacy-aware telematics solutions from the consumers’ per- 
spective. To the authors’ knowledge no such initiative has been taken before. 
Past surveys using psychological and experimental economics techniques have 
only focused in assessing the extent to which location information is valued by 
individuals (Acquisti & Grossklags, 2005; Cvrcek et al., 2006; Danezis et al. 
2005), but not on their participation and willingness in redesign of privacy- 
aware positioning solutions. Important issues have been highlighted as a result 
of this survey, which need further exploration. 


393 








Engaging in public discussions and valuing public opinion would be es- 
sential in designing privacy-aware systems tailored to citizens’ needs. As evi- 
dent from the attitude of respondents when their opinions were sought in 
redesigning privacy-aware GPS-based insurance, one-fourth of the respondents 
declined in participating due to privacy issues. There can be many explana- 
tions to this scenario but regardless of the motivation, there is a considerable 
minority who perceive a privacy threat from new technological developments. 
Likewise, contrary to other surveys conducted to find how much financial value 
respondents give to their location-privacy (Cvrcek et al. 2006; Danezis et al. 
2005), the results from this survey indicates that respondents were not willing 
to subscribe to rewards programs in exchange for giving up their location 
tracks. Therefore, to obtain public acceptance, even privacy-aware solutions 
should cater to public opinion. 


5.2 Function Creep 


If existing mobility pricing solutions are allowed to proceed, they have the ca- 
pability to collect huge amount of personal location data from consumers. 
There are concerns raised by privacy advocates about the function creep this 
data enables (Wigan & Clarke, 2006). There is a possibility that authorities 
would like to access mobility data collected by GPS-based insurance projects, 
by providing rebates and incentives to insurance providers and use this data for 
national congestion charging schemes, or enhancing mass surveillance proj- 
ects. This same data may also seek secondary uses, much different from the ini- 
tial intended purpose that it was collected for. There is also a possibility that 
data collected through mobility pricing would be sold to third parties like Orig- 
inal Equipment Manufacturers (OEMs), and vehicle part makers for their 
analysis. 


5.3 Privacy-aware Middle-ware 


Results of the survey can help regulate privacy-aware differentiated pricing 
solutions. It is clear that the majority of respondents are interested in mobility 
pricing and do not expect absolute privacy guarantees. While privacy expec- 
tation is not quite high for the majority pragmatists, there is reasonable expec- 
tation to control the granularity and disclosure of information with 
customisation features embedded into the privacy-aware middle-ware. There- 
fore, privacy researchers working on telematics privacy design should cater 
for sufficient flexibility and control of location data for users. Additionally, 
survey results have also indicated that users value their social relationships 
strongly when it comes to location disclosure. Therefore, this information can 
be used for good reason, and stored to inform close family members in the 
event of an accident or emergency. 


394 








One should expect that privacy-aware user interfaces would be quite 
complex and contain many configurable options, one such interface that was 
recently identified is the GM FleetView (2007), which is primarily for fleet 
management, but has built-in privacy features. Employees may find such sys- 
tems quite useful to track work-related travel for tax purposes; however, these 
individuals operating such vehicles have a reasonable expectation of privacy 
when using the vehicles after-hours. This survey’s results also support the no- 
tion, where the majority of respondents were against disclosing location in- 
formation to their office personnel after-hours or weekends. 


Concluding Remarks 


Mobility pricing is inevitable. It is considered to be one of a few ways to in- 
troduce the concept of fairness of road tax and motor insurance. While econo- 
mists have argued about the increased social benefits of variable pricing, there 
has been increased resistance from politicians and user groups about such a 
charge. The major issue, besides user acceptance, is that the mechanism of 
telematics-enabled congestion charging is vulnerable to intrusive privacy 
abuse. If mobility pricing is to be generally accepted, its privacy threats have 
to be assuaged, and public opinion polls should be sought to gather users’ opin- 
ion and attitude towards a privacy-aware redesign process as demonstrated in 
this paper. 


Acknowledgement 


The authors wish to express their gratitude to all respondents who agreed to 
participate in the online survey. The authors also wish to express their appre- 
ciation to the contribution provided by OMNILINK Pty. Ltd for this research. 


References 


1. Acquisti, A. & Grossklags, J. (2005). Privacy and Rationality in Individual Decision 
Making IEEE Security and Privacy, 3, 26-33. 

2. Australian Bureau of Statistics (ABS) (2000). Household Use of Information Tech- 
nology, Australia, 1999, Catalogue No. 8146.0, Canberra: Australian Government Pu- 
blishing Service. 

3.  Barkhuus, L., Dey, A.K. (2003). Location-based services for mobile telephony: A 
study of users' privacy concerns, in the proceedings of Interact 2003, Zurich, Swit- 
zerland, pp. 709-712. 

4. Cvreek, D., Kumpost, M., Matyas, V. & Danezis, G. (2006). The Value of Location 
Information: A European-Wide Study. Cambridge Security Protocols Workshop 2006. 

5. Coroama, V., & Langheinrich, M. (2006). Personalized Vehicle Insurance Rates — A 
Case for Client-Side Personalization in Ubiquitous Computing, Paper presented at 
the Workshop on Privacy-Enhanced Personalization at CHI 2006, Montréal, Canada, 
22 April, 2006. 

6. Danezis, G., Lewis, S. & Anderson, R. (2005). How much is location privacy worth? 
In Proceedings of Workshop on Economics of Information Security (WEIS 05). 


395 


10. 


l1. 


12. 


13. 


14. 


15. 
16. 
17. 
18. 


19. 


GM Fleetview. (2007). GM FleetView Presentation Video. Available online at: 
http://video. vividas.com/media/4630_GMFleet/web/ (accessed 18 March 2007) 
Iqbal, M.U., & Lim, S. (2006). A privacy preserving GPS-based Pay-as-You-Drive in- 
surance scheme. . Symp. on GPS/GNSS (IGNSS2006). Surfers Paradise, Australia, 
17-21 July, CD-ROM procs. 

Iqbal, M.U., & Lim, S. (2007a). Location Privacy in Automotive Telematics IN KA- 
RIMI, H. (Ed.) The Encyclopedia of Geoinformatics. Idea Group Publishing (In 
Press). 

Iqbal, M.U., & Lim, S. (2007b). An automated real-world privacy assessment of GPS 
tracking and profiling. Second Workshop on Social Implications of National Secu- 
rity: From Dataveillance to Uberveillance, Wollongong, Australia, 29 October, 2007, 
pp 225-240. 

Iqbal, M.U., & Lim, S. (2007c). Location Privacy Survey Video Animation. Availa- 
ble online at http://129.94.167.206:8080/PrivacySurvey/privacy.swf 

Litman, T. (2001). Distance-Based Vehicle Insurance: Feasibility, Costs and Bene- 
fits. Comprehensive Technical Report, Victoria Transport Policy Institute. Victoria, 
British Columbia. 

Norwich Union. (2007). Pay As You Drive Insurance - Car Insurance- Norwich Union 
UK. Available online at: http://www.norwichunion.com/pay-as-you-drive/index.htm 
(accessed 15 January 2007). 

Tripsense. (2007). TripSense- How TripSensor Works. Available online at: https://trip- 
sense. progressive.com/about.aspx?Page=HowDevice Works accessed 12 February 
2007). 

Vidales, P., & Stajano, F. (2002). The Sentient Car: Context-Aware Automotive Te- 
lematics. Paper presented at the LBS-2002. 

Westin, A. F. (1991). Harris-Equifax Consumer Privacy Survey 1991. Atlanta, GA, 
Equifax Inc. 

Westin, A. F. (1998). E-commerce & Privacy: What Net Users Want. . Hackensack, 
NJ: Privacy & American Business. 

Wigan, M. & Clarke, R. (2006). Social Impacts of Transport Surveillance Prome- 
theus, 24, 389-403 

Zhang, D., Wang, X.H., Hackbarth, K. (2003). OSGi Based Service Infrastructure for 
Context Aware Automotive Telematics, Paper presented at the IEEE Vehicular Tech- 
nology Conference, Italy. 


Appendix 


Figure 1: A sample GPS log 


ee eee ee ae ee ae 
03/17/2007 10:01 -=-= — _- —-  PowerOni === 
-03/47/2007 1002 RB aI «=m  3A2C  Okph N 


08/37/207 © 1002 -388950 LP 48m LCOS 


03/17/2007 10:02 -33,8953°. 151.1424 0.2m BSC SAkph 


l "03/17/200 7 : 40:02 se -33.89550 ie 151.1400° ai 238m i 31C f 65 kph 


N 
w 
w 
-03/37/2007 —  1œ02 -338959 BLIA 183m 314C Sakph, W 
w 


03/17/2007 10:02 -338956 159P 35 m 3148. 49 kph, 
ees ae eee ee Pe ee a N 

03/17/2007 10:02 -33,8969 151,1368 349m  3L6eC 67kph: SW 
B07 a2 -BP LBS è  Aüm  3LEC | 74h sW 


396 








Figure 2: Some scenes from the animation that respondents watched before taking 
the survey 











Figure 3: Bar-chart representing correlation between insurance options and lo- 
cation disclosure to social networks 


Percent 





Highest Moderate No Privacy No, Privacy Not Interested 
Privacy with = Privacy and Low Price issues 
Highest Price Price 


Privacy-A ware PAYD Insurance 


397 


Figure 4: Bar-chart representing correlation between rewards program sub- 


scription and gender 





Rewards 
Program 
B Yes 

E No 


Female 
Gender VS. Rewards Program 


398 








Towards a System of Estates in Virtual Property 


Juliet M. Moringiello 


Professor, Widener University School of Law 
jmmoringiello@widener.edu 


Abstract. Virtual worlds such as Second Life have received a lot 
of press in the United States recently. As individuals and businesses par- 
ticipate in these virtual worlds, questions arise regarding the application 
of existing laws to their virtual world transactions. Many questions have 
arisen regarding the property rights of participants in virtual worlds, and 
a Second Life member recently sued Linden Research, the company that 
developed Second Life, alleging that Second Life converted his virtual 
property. The questions regarding the legal nature of virtual world assets 
tend to mirror the questions regarding intangible rights generally, as co- 
urts have tended to struggle over whether these rights are property rights 
or contract rights. In this paper, I propose that the principle of numerus 
clausus be applied to virtual property, so that courts faced with disputes 
over such assets will have mandatory property forms to which to resort. 
Such an approach would limit the ability of vendors of such rights to 
customize them through their contracts, which are commonly embodies 
in electronically-presented standard forms. 


Introduction 


Virtual worlds have received a lot of attention in the American press recently. 
The New York Times mentioned Second Life in more than 20 articles between 
June 1 and October 15, 2007. Even popular television shows such as Law and 
Order have set episodes in Second Life. As people conduct their business and 
personal transactions in these virtual worlds, legal institutions are called upon 
to resolve disputes involving their rights in these worlds. 

This past year, Linden Research, the developer of the virtual world Sec- 
ond Life, was sued by one of its members, Marc Bragg. One of Bragg’s alle- 
gations was that Linden, by terminating his Second Life account, wrongfully 
deprived him of his virtual property and is thus liable for conversion. Linden 
Research, on the other hand, contends that Bragg’s use of any virtual world 
property is governed by the Second Life Terms of Service, which appears to 
grant users a license to use Linden’s property during the time that they are 
members of Second Life. 

The case of Bragg v. Linden Research [1] highlights many of the issues 
that will arise when courts are forced to determine rights in intangible assets. 
The proliferation of virtual world activity makes virtual property a good vehi- 


399 


cle for discussing the problem that courts have in determining the rights of per- 
sons in intangible assets. 

In this paper, I suggest that rights in intangible assets be viewed in the 
context of the numerus clausus principle. The numerus clausus mandates that 
there be only a fixed number of ways of holding property. The principle is uni- 
versally recognized as applicable to real property, and as a result of its appli- 
cation persons purchasing or financing real property know that they need only 
be concerned about a limited number of estates in that land (Merrill & Smith, 
2000). The numerus clausus is not applied as strictly to intangible rights (Mer- 
rill & Smith 2000). There may be several reasons for this. One is that law- 
making institutions tend to have difficulty separating intangible assets from 
the contracts that created those assets. Another is that virtual property is unfa- 
miliar to us. Often, when we think of intangible property, we think of two dis- 
tinct types of assets — payment rights, such as accounts receivable, deposit 
accounts, and negotiable instruments, and intellectual property, such as patents, 
trademarks and copyrights. 

Intangible property rights beg for standardization. Using virtual world 
property as an example, I will illustrate some of the problems that intangible 
assets raise for the law. I will then discuss the numerus clausus principle, draw- 
ing heavily from the work of Thomas Merrill and Henry Smith. I will then ex- 
plain why the numerus clausus principle would help to explain rights in virtual 
property and suggest some approaches to fashioning estates in virtual world as- 
sets. 


2. An Introduction to Virtual Worlds 


A virtual world can be defined as an online environment that is both persistent 
and dynamic (Lastowka & Hunter, 2006). It is persistent because it does not 
cease to exist when the participant turns her computer off; it is dynamic because 
it is continuously changing. There are two broad categories of virtual worlds. 
The first category consists of scripted games such as World of Warcraft and the 
second consists of non-scripted worlds such as Second Life. 

A participant in a scripted game world acquires property by playing the 
game. A player advances by acquiring game objects. These game objects grant 
powers to the player, and the player uses these powers to achieve higher status 
in the game (Ondrejka, 2004). The terms of use for games such as World of 
Warcraft forbid real-world trades of these assets. [5] Notwithstanding this pro- 
hibition, property won in World of Warcraft is routinely traded on other web 
sites. There is also an emerging economy of “gold farmers” who employ indi- 
viduals to play these games for hours on end in order to achieve and sell de- 
sirable status. 


400 








Operators of scripted games tend to eschew commodification of their 
games. One reason for their position is that the game designers have a great in- 
terest in the progression of the game. The gamers themselves have certain ex- 
pectations as well; if a participant spends hundreds of hours achieving a top 
player level, that participant does not want someone who bought his status to 
achieve a higher level than him. William Bartle, a noted game designer, com- 
pared the commodification of online games to the ability of any individual to 
purchase the world high-jump record and be recognized as the best high jumper 
in the world. According to Bartle and other game designers, game operators 
should have the ability to terminate traded characters because traded characters 
interfere with the game’s ability to function as a game (Bartle, 2006). 


In non-scripted worlds, the content and progression of the world are pro- 
vided by the participants. A person who joins Second Life can acquire assets 
in several ways. One way that a participant can acquire assets is by buying 
them. Linden conducts land auctions in Second Life, and a participant who 
wants to build a building can do so on “his” land. [2] A participant can also 
build assets using the software provided by Linden. Building is a complicated 
process, as Linden provides only the basic building units and textures (On- 
drejka, 2004). To build a house takes both time and skill. As persons with these 
skills proliferate in Second Life, they establish retail outlets for their creations. 
Therefore, a person in Second Life without much time or skill can purchase the 
items she needs for her Second Life existence from these in-world retailers. 
The participant makes her purchases with Lindens, the Second Life currency 
that, at the time of this writing, trades at 265 Lindens to the United States dol- 
lar. On the Linden Dollar Exchange, or Lindex, participants are invited to buy 
Lindens using U.S. dollars. Linden Labs does not agree to repurchase this cur- 
rency when a participant wishes to leave Second Life; rather, the participant 
must find a buyer for her virtual currency. [2] 


2.1. The Second Life Terms of Service: Do Members Receive Any Prop- 
erty Rights? 


Linden sends its users mixed messages regarding their rights in the Second 
Life assets that they either acquire by purchase or develop using their skill and 
time. In many of Linden’s messages to the public, it represents that members 
of Second Life have property rights in these assets. For instance, the Second 
Life web site, on its “Land: How To” page, appears to grant members full prop- 
erty rights in their virtual land. The page informs members that “[o]wning land 
allows you to control land.” The page goes on to inform members that they 
have rights normally considered to be components of the “bundle of rights” 


401 





that constitute property: the right to exclude (“you can prevent others from vis- 
iting or building”) and the right to alienate (“sell it”). [2] 

The Second Life Terms of Service send a very different message re- 
garding ownership rights in both virtual currency and virtual land. Contradict- 
ing the web site’s invitation to buy Lindens, the Terms of Service inform 
readers that Lindens are an “in-world fictional currency” and that by “pur- 
chasing” Lindens, the buyers are obtaining a license to use a feature of the Sec- 
ond Life product. In the Terms of Service, Linden reserves the right to manage, 
regulate or eliminate the currency for any reason in its sole discretion. 

Linden’s representations in the Terms of Service regarding virtual land 
and other assets are even more confusing. The Terms of Service grant members 
a license to use the Linden “service.” The very next paragraph, however, grants 
members “copyright and other intellectual property rights” with respect to any- 
thing they create in Second Life. One paragraph later, Linden appears to take 
back what it has just given, as that paragraph states that while a creator of con- 
tent has intellectual property rights in that content, that person has no rights in 
any data stored on the Linden servers. [2] 


A Second Life Member Sues: Bragg v. Linden Research 


Marc Bragg was a member of Second Life. He found an “exploit,” or a method 
of avoiding the Second Life land auction process. This exploit enabled him to 
acquire land cheaply. When Linden discovered this behavior, it terminated 
Bragg’s Second Life account, depriving him of his Lindens and his land. Lin- 
den found its right to terminate the account and confiscate Bragg’s assets in the 
Second Life Terms of Service. Bragg sued Linden for, among other things, 
conversion. Conversion is defined in the Restatement (Second) of Torts as “an 
intentional exercise of dominion or control over a chattel which so seriously in- 
terferes with the right of another to control it that the actor may justly be re- 
quired to pay the other the full value of the chattel.” In order for Linden to be 
liable for conversion, Bragg must establish that he had property rights in the 
virtual land and the Lindens. 

In October, 2007, the parties in Bragg v. Linden Research settled their 
dispute. In any event, Bragg might not have been the best case to establish the 
property rights of virtual world participants because Marc Bragg created noth- 
ing. He did, however, buy both Lindens and land. The one published decision 
in the case, however, illustrates why mandatory property rules might be nec- 
essary to protect the rights of those who spend a lot of time and money creat- 
ing their virtual world experience. In May, 2007, the United States District 
Court for the Eastern District of Pennsylvania held that one provision in the 
Terms of Service, the arbitration clause, was unconscionable. [1] 


402 








The May, 2007 decision gives one justification for a system of manda- 
tory property rules for virtual property. Although the court held that only one 
provision of the Terms of Service, the arbitration provision, was uncon- 
scionable, it is not a large jump to imagine the court holding the entire agree- 
ment to be unconscionable and thus unenforceable. The Restatement (Second) 
of Contracts provides that if a contract or term is found to be unconscionable 
at the time that the contract is made, the court can refuse to enforce the con- 
tract, or can enforce the contract without the unconscionable term. The Uniform 
Commercial Code has a similar provision applicable when the transaction is for 
the sale of goods. In determining whether a contract or term is unconscionable, 
courts look for evidence of oppression and unfair surprise. If a court refuses to 
enforce the Second Life Terms of Service, it seems that the Second Life mem- 
ber would be left with very little. As a remedy, a court might order Second Life 
to return the member’s money, but it is not likely that the court would order 
restoration of the land or other assets. The reason that this is not likely is that 
today, the extent of the members’ rights in those assets is not clear. Without a 
clear method of determining the property rights of virtual world participants, 
it is possible that courts will fail to separate the property rights created or trans- 
ferred by the Terms of Service from the contract created by the Terms of Serv- 
ice. This failure to adequately separate the property rights transferred by a 
contract from the contract itself is a fairly common problem in American law 
when the property rights transferred are intangible. 


3. An Argument for Applying the Numerus Clausus to Virtual 
Property 


In several other articles, I have noted that American courts have difficulty pro- 
tecting intangible rights by property rules (Moringiello, 2003; Moringiello, 
2007). As noted above, one problem that courts have is separating the contract 
creating or transferring the right from the right transferred. Several cases in- 
volving Internet domain names illustrate this difficulty. Probably the best- 
known of these cases is the decision of the Virginia Supreme Court in Network 
Solutions v. Umbro International, Inc., a case in which a judgment creditor at- 
tempted to seize a number of generic domain names registered to the defendant 
cyber squatter. In denying the creditor’s request to seize the domain names, 
the court noted that a domain name is “a product of a contract for services” 
and thus not property that could be reached by the creditor using the applica- 
ble Virginia statute. [3] This holding was curious for many reasons, not the 
least of which was the fact that generic domain names such as the pornographic 
ones at issue in Umbro were freely transferable and routinely sold for hundreds 


403 





of thousands of dollars. The problem separating an asset from the contract 
transferring the asset is unique to controversies involving intangible assets; it 
is unlikely that anyone would classify a house as a “product of a contract.” 

Another problem that American courts have in dealing with intangible 
rights is that they tend to classify all non-payment intangibles as “intellectual 
property.” Another case involving domain names, Dorer v. Arel, illustrates 
both this tendency and the harm caused by this misclassification. Dorer, like 
Umbro, involved a dispute over a creditor’s rights in a domain name. To find 
the correct property category in which to place the domain name, the court 
turned to intellectual property law, reaching a strange result. Applying trade- 
mark law, the court found that a domain name that was entitled to trademark 
protection could be considered property of the domain name registrant, but a 
domain name that was generic, or not entitled to trademark protection, could 
only be considered a contract right. [4] The strange aspect of this decision is 
that a domain name entitled to trademark protection is not easily transferable, 
as a trademark cannot be transferred without the attached goodwill. A generic 
domain name, on the other hand, is potentially worth thousands, if not hun- 
dreds of thousands of dollars. 

These cases involving domain names illustrate the need for clear prop- 
erty categories for intangible rights. The law already recognizes payment rights 
such as accounts receivable and negotiable instruments, and contains clear 
rules for the creation and transfer of such rights. The law likewise recognizes 
limited forms of intellectual property rights, and contains rules for the creation 
and transfer of such rights. Other intangible assets, however, currently escape 
easy Classification, causing courts to treat each new intangible asset as though 
it presents a case of first impression. 

The Terms of Service that create and transfer virtual world property are 
evidence of some of this classification confusion. In the world of intellectual 
property rights, it is common for the creator of the intellectual property to con- 
vey some of her rights by license. There are many reasons to convey by li- 
cense, and one effect of a license is that it avoids the “first sale” doctrine 
whereby the purchaser of the physical manifestation of the intellectual property 
takes it free from further transfer restrictions. On the other hand, it is not com- 
mon to transfer a car or a piece of real estate by license (Braucher, 2006). Lin- 
den represents on the web site for Second Life that its members own their 
in-world creations, but the Terms of Service for Second Life grant rights in the 
creations by license, characterizing the rights granted as “intellectual property” 
rights. 


404 








3.1 “Virtual Property” as an Asset Class 


Professor Joshua Fairfield has taken an important first step in classifying in- 
tangible assets that are neither payment rights nor traditional intellectual prop- 
erty rights. Fairfield labels these assets “virtual property.” According to 
Fairfield, virtual property is distinguished by three qualities: it is rivalrous, per- 
sistent, and interconnected. (Fairfield, 2005; Lastowka and Hunter, 2006). Vir- 
tual property’s rivalrousness distinguishes it from intellectual property rights. 
Intellectual property itself is a loosely defined category in that it is really an um- 
brella term used to describe several ways in which the law protects ideas. In- 
tellectual property is distinguished by its non-rivalrousness, that is, many 
persons can enjoy intellectual property rights at the same time without dimin- 
ishing the quality or usefulness of the rights. 

The Internet can be said to blur the line between Fairfield’s “virtual prop- 
erty” and what we commonly think of as intellectual property. For instance, 
when we think of intellectual property on the Internet, we commonly think of 
computer code, whether that intellectual property be software or a song. Intel- 
lectual property protects ideas, but a pure idea is not entitled to protection as 
intellectual property. For instance, for an idea to be protected by copyright in 
the United States, the idea must be fixed in a tangible medium. Computer code 
qualifies as such a tangible medium, although few people ordinarily think of 
computer code as tangible. The code itself is not the intellectual property, the 
idea embodied in the code is. 

Virtual property (or, as I have named such property in an earlier article, 
“electronic assets”) is also made up of computer code. This code, however, 
acts like tangible personal property, in that it is rivlarous, meaning that it can 
be possessed or controlled by only one person at a time. Because it is code, 
however, the natural impulse of persons dealing with it is to place it in the in- 
tellectual property category. 

I suggest, as does Professor Farifield, that computer code that acts like 
tangible property should be viewed by legal institutions as the equivalent of 
other rivalrous property, such as tangible personal property and real property 
(Fairfield, 2005). Persons involved in lawmaking must segregate the pure idea 
from the vessel containing the idea. If I purchase a stained glass window from 
an art gallery and install it in my house, few people would argue that I do not 
own the stained glass window. Certainly, I cannot copy and sell the design, but 
I can sell the window. Likewise, if the artist who made the window used 
patented raw materials to make the window, she cannot claim intellectual prop- 
erty rights in those materials, but she does have intellectual and other property 
rights in the finished product. This concept is recognized in copyright law; the 


405 





ownership interests in the copyright and the associated tangible copy are com- 
pletely independent (Rothchild, 2004). Fairfield’s virtual property should be 
viewed in the same way as this tangible property — whether it be the raw ma- 
terial or the finished product. But viewing virtual property as tangible property 
is only one step in determining the rights that are transferred, and this is why 
the numerus clausus is relevant. 


3.2 Why the Numerus Clausus Makes Sense for Virtual Property 


The term numerus clausus refers to the principle that the permissible forms of 
property interests are limited, or “the number is closed.” The numerus clausus 
distinguishes property rights from contract rights; contracts, which bind only 
the parties thereto, can be customized with few limits, but property rights, 
which bind the entire world, can be customized in a limited number of ways. 
The numerus clausus exists in American law in the American system of es- 
tates in land, and the principle prevents courts from recognizing property in- 
terests that fall outside of the closed set. As a result, when parties attempt to 
customize property interests in a way that does not conform to a fixed form (a 
common example is the landlord who conveys a tenancy “for the duration of 
the war”), a court faced with this novel interest will determine which of the 
recognized property forms best fits the interest that the parties created (Mer- 
rill & Smith, 2000). 

In their article, Optimal Standardization in the Law of Property: The 
Numerus Clausus Principle, Thomas Merrill and Henry Smith offer several 
defences of the principle. The defence that resounds most strongly in the vir- 
tual property area is the argument that the numerus clausus minimizes the ex- 
ternal costs of measurement. The principle protects all market participants. For 
instance, the buyer of a house knows, because of the operation of numerus 
clausus, that title to the house can be held in only a limited number of ways. 
This person does not need to research infinite ways of holding title to property; 
title to the house can be conveyed in fee simple, as a life estate, or in a defea- 
sible fee. If title is held by two people, they can hold the house as tenants in 
common, joint tenants, or tenants by the entirety. The concept of title is invis- 
ible to the buyer of a home in ways that other aspects of the home, such as the 
number of bedrooms or the condition of the kitchen, are not (Merrill & Smith, 
2000). 

It is for these invisible aspects of property, like title, that the numerus 
clausus principle exists. As Merrill and Smith point out, one way to control 
external measurement costs is by the standardization of property rights. The 
numerus clausus principle applies most strongly to the aspects of property that 
are the “least visible and hence the most difficult for the ordinary observer to 


406 








measure” (Merrill & Smith 2000, p.34). Although Merrill and Smith concede 
that notice of interests in property can help solve the problem of external meas- 
uring costs, they make a distinction between notice of rights and the ability of 
persons to process that notice (Merrill & Smith, 2000). 

Merrill and Smith’s measuring cost justification for the numerus clausus 
is particularly relevant as new forms of intangible property emerge. Notice of 
rights in intangible assets is notoriously difficult to process. These rights are 
often granted in electronically-presented standard-form contracts. Although 
American courts tend to enforce such contracts so long as the offeree is given 
sufficient notice of the terms (Moringiello & Reynolds, 2006), many of these 
contracts are lengthy and difficult to understand. As noted above, the Second 
Life Terms of Service appear to both grant and deny property rights to mem- 
bers of Second Life. Without a standard framework for estates in virtual prop- 
erty and other electronic assets, the participants in the markets for such assets 
will be forced to spend a great deal of time inquiring about the possible extent 
of their rights in such assets. 

This measuring cost problem is obvious in the domain name market. 
There are numerous domain name registrars, all of which transfer domain 
names pursuant to electronically-presented standard-form contracts. To the 
casual observer, all domain names might appear to be part of a standard cate- 
gory of property. Certainly they differ in name, and they will also differ ac- 
cording to their top-level domains, such as .com and .net. The contracts offered 
by the registrars create different property rights, however. For example, both 
Network Solutions and Register.com sell names in the .com domain. Both reg- 
istrars provide that their domain names can be voluntarily transferred by the 
registrant-owner. The Network Solutions contract, however, provides that the 
name cannot be involuntarily transferred (to creditors, for instance), while the 
Register.com agreement allows both voluntary and involuntary transfers. As 
alienabity is a key component of property rights, these two nearly identical 
contracts, conveying nearly identical assets, in fact transfer somewhat differ- 
ent estates in those assets. This pattern surely repeats itself with all types of vir- 
tual property, including virtual world assets, which are conveyed by contracts 
that are not only unique to the operator of the virtual worlds, but which are 
also subject to change, resulting in property rights that may differ based on the 
date that the owner joined the virtual world. 


4. Working towards a System of Estates in Virtual Property 


A strict system of estates appears at first to be limited to real property. While 
it might be desirable to import portions of the real property. system of estates 
to virtual worlds, it is also possible to apply some similar concepts from the law 


407 





of personal property. Moreover, if a numerus clausus principle is to apply to in- 
tangible assets generally, it is important to keep in mind that some of these as- 
sets will not resemble real property in the way that virtual world assets might. 
A sale of tangible personal property transfers the equivalent of a fee sim- 
ple, or full ownership, in that asset. A sale is not the only method by which 
personal property can be conveyed, however. As explained earlier in this paper, 
rights in intellectual property are often licensed. In addition, persons often enter 
into lease transactions for tangible personal property. In American law, parties 
entering into lease and license transactions are not able to customize their con- 
veyances in limitless ways. In that sense, the numerus clausus principle is alive 
for personal property conveyances. Both leases and licenses can be recharac- 
terized as sales if the relevant transaction possesses too many characteristics of 
a sale (Winston, 2006). The rule that both licenses and leases can be recharac- 
terized as sales is a product of the common law, and the lease rule has been cod- 
ified in the Uniform Commercial Code. Applying such a rule to the Second 
Life Terms of Service, a court might possibly rule that, regardless of the lan- 
guage of the contract, the contract conveys ownership rights, not license rights. 
Full, or fee simple, ownership, might not be the most desirable form of 
ownership for virtual world property. As noted above, some virtual world op- 
erators, the game operators, have a great interest in the progression of the game. 
For them, perhaps the most desirable property regime is the license regime, as 
a license grants permission to use something. (Nimmer, 2002). Because game 
operators have such a great interest in the design of the game, it would not be 
unreasonable for them to retain ownership rights in the virtual assets while 
granting permission to the players to use those assets.Other virtual world op- 
erators have less interest in the progression of the world, but nevertheless have 
an interest in their members co-existing in a peaceful fashion. In worlds such 
as Second Life, members “own” assets that look like both personal and real 
property. For instance, a Second Life member might buy “land” from which she 
can exclude others, she might hire someone to build her a house on that land, 
and then she might make or purchase furniture for that house. A question might 
arise as to whether all of this property should be treated the same for the pur- 
pose of a system of estates, because after all, it is all just computer code. 
Operators of virtual worlds might want to provide that members forfeit 
their virtual property if they behave in a certain manner. In that case, they could 
clearly provide that the property interest transferred in a fee simple deter- 
minable, thus causing the member to forfeit his property on the occurrence of 
a stated event. (Wolf 2006). The law could provide a standard template for con- 
veying such an interest, indeed, the law does already for interests in real prop- 
erty.Alternatively, virtual world operators can adopt a fairly new form of 


408 








ownership, the condominium form. It is not hard to imagine a virtual world as 
a giant common interest community, along the lines of a condominium or a 
homeowners’ association. Property in condominiums and homeowners’ asso- 
ciations is commonly transferred by deeds that contain numerous covenants 
with which the property owners must comply. Failure to comply with such 
covenants results not in forfeiture, but in fines. (Stoebuck & Whitman, 2000). 
Property law generally disfavours forfeiture, and the amount of time and money 
that many virtual world participants spend developing their virtual assets would 
support the argument that forfeiture would be unfair to the members. 


5, Mandatory Rules versus Private Ordering 


Subjecting intangible rights to application of the numerus clausus principle 
naturally creates tensions with the idea of freedom of contract. Applying the 
numerus clausus, however, does not forbid all customization of intangible as- 
sets. First, the numerus clausus is not absolutely closed; it has opened to admit 
new forms of property rights such as the condominium and the right of pub- 
licity (Merrill & Smith, 2000). 

The most valuable function of a property rights, or in rem, approach to 
intangible assets such as virtual property would be its channelling function. As 
noted above, American courts presently view such assets either as new intel- 
lectual property rights or as pure contract rights. A property rights approach 
incorporating the numerus clausus would channel courts away from viewing 
these rights as pure contract and channel them towards treating them as valu- 
able assets that can be traded and financed. Merrill and Smith explain this func- 
tion in The Property/Contract Interface. According to Merrill and Smith, the 
in rem strategy takes a two-step approach to use rights. First, such a strategy 
identifies particular assets and determines the person who is the owner of that 
asset. Second, the owner determines who can use the assets and the ways in 
which those persons can use it (Merrill & Smith, 2001). It is this first step, the 
identification of the asset, which would most help to clarify the law of intan- 
gible assets. Today, we too quickly classify virtual property as intellectual prop- 
erty that can and should be licensed. A numerus clausus approach might force 
us to think about the asset created or acquired by the virtual world member as 
something distinct from the code used to create the asset. 


§. Conclusion 


It is not the purpose of this article to develop a comprehensive scheme of es- 
tates in intangible property generally or virtual world property in particular. 
Virtual worlds, however, provide an interesting factual scenario for analyzing 
rights in intangible assets generally. Courts in the United States have had a no- 


409 


toriously difficult time appreciating the property aspects of intangible rights 
transferred by contract, and as the economies of virtual worlds grow, it is likely 
that the future will bring more virtual world property disputes to the courts. 
Applying the numerus clausus principle to virtual world assets will help courts 
resolve these property disputes, lending increased certainty to virtual world 
transactions. 


Notes 


[1] Bragg v. Linden Research, 487 F. Supp. 2d 593 (E.D. Pa. 2007). 

[2] Second Life Terms of Service, retrieved October 23, 2007 from 
http://secondlife.com/corporate/tos.php. 

[3] Network Solutions, Inc. v. Umbro Int’, Inc., 529 S.E. 2d 80 (Va. 2000). 

[4] Dorer v. Arel, 60 F. Supp. 2d 558 (E.D. Va. 1999). 

[5] World of Warcraft Terms of Use, retrieved November 1, 2007, from 

http://www. worldofwarcraft.com/legal/termsofuse.html. 


References 


1. Bartle, R.A. (2006). Virtual Worldliness. In Balkin, J. & Noveck B.S. (eds.) The State of 
Play, Law, Games and Virtual Worlds (pp. 31-54). New York: New York University Press. 

2. Braucher, J. (2006). Contracting Out of Article 2 Using a “License” Label: A startegy That 
Should Not Work for Software Products. Loyola of Los Angeles Law Review Volume 40, 
261-280. 

3. Fairfield, J.A.T. (2005). Virtual Property. Boston University Law Review Volume 85, 1047- 
1102. 

4. Lastowka, F.G. & Hunter, D. (2006). Virtual Worlds: A Primer. In Balkin, J. & Noveck 
B.S. (eds.) The State of Play, Law, Games and Virtual Worlds (pp. 13-28). New York: New 
York University Press. 

5. Merrill, T.W. & Smith, H.E. (2000). Optimal Standardization in the Law of Property: The 
Numerus Clausus Principle. Yale Law Journal Volume 110, 1-70. 

6. Merrill, T.W. & Smith, H.E. (2001). The Property/Contract Interface. Columbia Law Re- 
view Volume 101, 773 — 852. 

7. Moringiello, J.M. (2003). Seizing Domain Names to Enforce Judgments: Looking Back 
to Look to the Future. University of Cincinnati Law Review Volume 72, 95-150 

8. Moringiello, J.M. (2007). False Categories in Commercial Law: The (Ir)Relevance of 
(In)Tangibility. Florida State University Law Review Volume 35 (forthcoming, available 
athttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=981748 ) 

9. Moringiello, J.M. & Reynolds, W.L. (2006). Electronic Contracting Cases 2005-2006. 
The Business Lawyer Volume 62, 195 -207. 

10, Nimmer, R.T. (2002). Law of Computer Technology: Rights, Licenses, Liabilities Volume 
1 (Eagan, West). 

11. Ondrejka, C. (2004). Escaping the Gilded Cage: User Created Content and Building the 
Metaverse. New York Law School Law Review Volume 49, 81-101. 

12. Rothchild, J.A. (2004). The Incredible Shrinking First Sale Rule: Are Software Resale 
Limtis Lawful? Rutgers Law Review Volume 57, 1-106. 

13. Stoebuck, W.B. & Whitman, D.A. (2000). The Law of Property (3rd. Ed). (St. Paul, West) 

14. Winston, E.I. (2006). Why Sell What You Can License? Contracting Around Statutory Pro- 
tection of Intellectual Property. George Mason Law Review Volume 14, 93-133. 

15. Wolf, M.A. (2006). Powell on Real Property. (Albany, Matthew Bender) 


410 








No One Knows You Are A Dog:{[1] 
Identity and Reputation in Virtual Worlds 


Angela Adrian 
Lecturer in Law, 
Robert Gordon University, Aberdeen, Scotland; 
a.adrian@rgu.ac.uk 


Abstract: “Virtual world” identities are becoming indistingu- 
ishable from “real” identities, just as “e-commerce” became indistingu- 
ishable from “commerce.” Control over online avatar identities has 
begun to have many real-world consequences. We can use the graphi- 
cal, networked screen to create vibrant, visual representations of perso- 
nal identity (i.e., the avatar) separate from and independent of our offline 
characteristics while simultaneously creating context-specific reputa- 
tions in online communities separate from and independent of our social 
identity in real space. 


1. Introduction 


E-commerce is the buying and selling of goods and services over the internet. 

Virtual worlds, such as Second Life, are thriving meccas of e-commerce be- 
cause they have invented a much more appealing way to use the internet: thro- 
ugh an avatar. (Morningstar and Farmer, 1991)[2] This avatar can be 
completely customized and is designed mainly for social interaction. (Lastowka 
and Hunter, 2004) Ordinary people, who are bored and frustrated by regular 
e-commerce, participate vigorously and passionately in avatar-based on-line 
markets. Hence, e-commerce has evolved into the compelling story about in- 
dividuals and businesses recreating themselves and extending their identities 
into cyberspace. (Gautier, 1999) 

Identity online is full of possibilities and opportunities. “Virtual world” 
identities are becoming indistinguishable from “real” identities, just as “e-com- 
merce” became indistinguishable from “commerce.” Control over online ava- 
tar identities has begun to have many real-world consequences. We can use the 
graphical, networked screen to create vibrant, visual representations of perso- 
nal identity (i.e., the avatar) separate from and independent of our offline cha- 
racteristics while simultaneously creating context-specific reputations in online 
communities separate from and independent of our social identity in real space. 
We do this with “social software” technology tools which make it possible for 
our chosen communities to help to create a meaningful reputation for ourselves. 
(Noveck, 2005) As with any technological development that has an extensive 


411 


human interface, fear (“can someone steal my identity?”) and opportunity 
(“how can I make some money from this?”) are at the forefront. However, 
those in the gaming community are already focusing on what a real, rich iden- 
tity is online from an even more personal perspective. They are asking, “Who 
is in charge of this identity?” The majority of players create avatars which re- 
semble themselves to simplify identification. Nonetheless, they tend to take ad- 
vantage of the game’s possibilities to improve their representations, making 
themselves prettier, stronger, and smarter. (Filiciak, 2003)[3] This further calls 
into question who is really behind this avatar. Thus, the question before us is 
who can destroy a life (or more importantly, a reputation) online? 

Seeing how much time is devoted to virtual worlds, it seems that a si- 
gnificant portion of the population finds a life mediated through one’s Earth 
avatar less fulfilling than life mediated through an Earth avatar and one or more 
virtual others. (Alter, 2007) Digital media, including video games, enable them 
to manipulate their ‘selves’ and to multiply them indefinitely. (Filiciak, 2003) 
Many appear to enjoy these different identities each of which enjoys its own 
reputation. 

The notion of identity is one of the most important questions posed by 
Western culture; ‘self’ is the measure of reality. (Bolter, 1984) We match our 
‘selves’ to social relations and in specific situations we present a different ‘ver- 
sion’ of ourselves. To be conscious is to be engaged in a world that embeds and 
defines the subject. (Davies, 2002) Carl Jung wrote about personas, the mask 
being an integral part of our personality and shaped according to the need to 
match it with cultural requirements. (Campbell, 1972) Today individuals are 
encouraged to create their personas according to standards presented by mass 
media. One creates a persona for oneself in a manner similar to the celebrities 
who are creating trade marks for not only their products but also for themse- 
Ives. (Walsh, 2004) 

A random sample of the moniker changes of celebrities shows a rather 
predictable fact that when authors and celebrities adopt new symbols to iden- 
tify themselves, they pick better trademarks: shorter, more memorable names 
with more appealing connotations.[4] For example, Prince Rogers Nelson 
(who was formerly known as “Prince”) changed his name to a symbol defying 
conventional articulation.[5] 


ll. Identity 


Avatars “are much more than a few bytes of computer data — they are cyborgs, 
a manifestation of the Self beyond the realms of the physical, existing in a 
space where identity is self-defined rather than preordained.” (Reid, 1994) Vir- 
tual environments are the domain of liquid identity. This identity question cau- 


412 








ses all kinds of insecurities. Just who is the puppeteer hidden behind this little 
mass of bits and bytes displayed on my computer screen? Can I trust this per- 
son? Are they who they say they are? Are they really representing what they 
say they represent? Can I do business with someone I can not see? 

In any medium, social cooperation relies on trust. (Axelrod, 1984)/6] 
Signals of commitment are needed to support cooperative behaviour. We usu- 
ally rely on face-to-face mechanisms for creating these signals and trust. (Mo- 
ringiello, 2005) Cyberspace by its nature facilitates interaction which is 
independent of geography, physical space or even physical place. It changes 
how we engage in social relations. (Noveck, 2005) As soon as something is va- 
luable and persistent, we seek to associate rights and duties with it. What will 
those rights be? And what will be the law of online identity to which those ri- 
ghts apply? Raph Koster has drawn up a Declaration of the Rights of Avatar. 
“Foremost among these rights is the right to be treated as people and not as di- 
sembodied, meaningless, soulless puppets. Inherent in this right are therefore 
the natural and inalienable rights of man. These rights are liberty, property, 
security, and resistance to oppression.” (Koster, 2000) 

At first blush, this may seem to pose a marked challenge for legal the- 
ory. Law is built on the concept that the self is a unitary, rational actor. Ne- 
vertheless, psychologist, Sherry Turkle, has contended that “the ability of the 
agent to represent herself as a different person in different online communities, 
without anyone being able to trace one identity to another, effectively creates 
multiple ways of knowing, which can be thought of as multiple selves.” (Tur- 
kle, 1995) This may be a semantic issue. In such an argument, what are re- 
ferred to as ‘multiple selves’ are not the same as the ‘unitary, rational, choosing 
self’. To be more precise, the ‘multiple selves’ exist purely because a unitary 
higher-order actor, deciding rationally, chose to generate and then occupy them. 

This higher order actor is the “Self”. (Id.) At any given moment, one can ac- 
tively create himself. One’s ‘self’ arises just to be revoked a moment later and 
replaced by another ‘self’ — equally as real as the previous one. (Foucault, 
1977)[7] 

Identity is not merely a set of facts: name, location, employment, posi- 
tion, age, gender, or merely certain online behaviours. In The Presentation of 
Self in Everyday Life, Erving Goffman suggested the notion of identity as a se- 
ries of performances, where we use “impression management” to portray our- 
selves appropriately in different environments. (Goffman, 1959) Some part of 
identity is controlled by the individual, but most of identity is created by the 
world in which that individual operates. We can think of identity as a streaming 
picture of a life within a particular context. Each of us has multiple identities. 
(Clarke, 1994)[8] The role of groups in shaping ‘real life’ identities is impli- 


413 








cit, as is the multiplicity of ‘real life’ identity. What is interesting and new about 
virtual worlds is that they make this group-shaping explicit and multiplicity of 
identity actionable. 

Post-modern identity is a self-aware identity. The mechanisms running 
and ruling today’s world are complex social relations which require maximum 
flexibility. Therefore, we relinquish the attempts to maintain a single constant 
“Self”. (Turkle, 1995) Identity in the real world is carried with an individual 
from context to context — the office meeting, the cocktail party or the football 
field. He ‘is’ those set of facts. On the other hand, reputation is contextual. On 
the football pitch, one may be the great coach. But in the office meeting, one 
might always be the late comer. The fact that one is a winning sports coach is 
unlikely to automatically earn respect as an expert at a wine tasting. People do 
not carry a “good” reputation into all the different areas of their lives. Repu- 
tations are earned within particular contexts. (Zimmer, 2000) 

Conceivably the emergence of avatars will expose behaviours that seem 
contradictory under present theories about the nature of tastes. This flexibility 
would have been condemned in the old paradigm as inconstancy which is as- 
sociated with insincerity, hypocrisy, or mental illness. Nowadays, it is a posi- 
tive attribute. A new, more useful model replaces the non-functional monolithic 
self. Everybody is a player, and must do everything to the ‘Self’ to correspond 
to the conditions of the game in order to play better. (Gauntlett, 2002)[9] This 
leads to hyper-identity which is related to identity as a hypertext is to a text. (Fi- 
liciak, 2003; Foucault, 1977) It is more of a process than a finished forma- 
tion, a complex structure that is updated incessantly by choosing from the 
multitude of solutions. The argument could be made that the emergence of 
anonymity on the internet changes nothing essential about the nature of human 
behaviour. (Martens 2007)[10] Throughout history, technological advance- 
ments have allowed the “Self” to act in assorted ways in diverse communities, 
without anyone being the wiser. The internet only exaggerates this ability. 

Hence, it can be suggested that what is changing is not the “Self >, which 
remains unitary, but the effortlessness with which the “Self” can manipulate its 
appearances in different physical spaces. It exists in the state of continuous 
construction and reconstruction. (Giddens in Gauntlett, 2002) But again, this 
is nothing new. People have lived double lives since time began. Liquid iden- 
tity is not in conflict with constancy if the object integrates the individual’s ac- 
tivities. The significance in which these lives are ‘double’ is wholly a social 
construct. But it is the individual mind that decides what style coheres.[11] 
From the point of view of theory, no incongruity occurs when someone appe- 
ars in Second Life as both a young man and an old woman. If variety is really 
the spice of life, theorists would predict that the unitary actor will opt for a 


414 








number of different physical appearances by which to materialize. The deve- 
lopment of avatars, and the shifting of the “Self” between them, has no real 
consequence for the applicability of rational choice theories. (Castronova, 
2003; Turkle, 1995; Rehak, 2003) In conventional terms of reasoning, post- 
modern identity can be considered schizophrenic; however, it should not be 
looked upon as pathology but as a virtue. 

However, these changes have consequences for the communities that 
humans form. Rational choice theories of social effects stress the importance 
of information for the preservation of social norms. The enforcement of norms 
is effective only if it is possible to impose some kind of penalty on the viola- 
tors.[12] As such, past reputational data should be preserved, transparent, and 
widely shared in order to produce reliable and persistent online identities. “Our 
conception of identity is dependent on the technology that mediates between 
social interaction.” (David, 2005) Although, identity online is more easily cre- 
ated, abandoned or shielded than in real life, virtuosity[13] is making that both 
easier and yet more difficult. Technology, thus, defines the scope of social re- 
lationships and our online social interaction has different characteristics. The 
most important characteristic being that identity is becoming enriched with 
more persistent forms of reputation. Reputation is of course tied to an identity. 
They are two sides of the same coin. Reputation, however, is earned over time. 
As such, identity without reputation is nearly meaningless. (Resnick, Ze- 
ckhauser, Swanson, and Lockwood, 2006)[14] 


lll. Reputation 


A reputation is the “estimation in which a person or thing is commonly held.” 
(Pocket Oxford Dictionary, 1975) Reputation is a fundamental part of your 
virtual self. Conversations in virtual worlds can be stored, and who you are be- 
comes more a function of the community’s view of you, your behaviour and 
your contributions to a particular piece of a virtual world. In this social so- 
ftware environment of collaborative creativity and interaction, representation 
becomes malleable and reputation becomes community-created. As such, on- 
line reputation needs to recognize the interests of the collective as well as of 
the individual in the manner in which identity is constructed online. 

Ina pay-for-play game like World of Warcraft for example, reputation is 
key.[15] Unfair play is punished by banning a player from the game. The 
player’s account is terminated, and all his avatars effectively eliminated, per- 
manently. Unfortunately, nothing can stop the banished player from opening a 
new account, with a different credit card, and starting new avatars. (Mnookin, 
1996; Lessig, 1999) Hence, it appears that nothing thwarts anyone from vio- 
lating any and all social norms, without consequence. This may cause one to 


415 





think that the future of a stable community in such an environment seem ho- 
peless. The instability of online communities has been studied by sociologi- 
sts for a long time. (Id.; Damer, 1998; Turkle, 1995) However, economists 
suggest that people/players will sort themselves into discrete units based upon 
how interested they are in living in a community regulated by particular social 
norms. (Samuelson, 1994; Johnson, 1997) Such arrangements are apparent in 
existing virtual worlds. Virtual worlds with built-in systems for maintaining 
player reputations seem immeasurably more popular than worlds where repu- 
tations cannot be known. For example, AlphaWorld[16] bestows upon all ava- 
tars the same capabilities at all times. Consequently, a player who defies a 
social norm in AlphaWorld, if banished, can generate a new avatar immedia- 
tely, using a different name, which will have all of the same capabilities and 
skills as previously. The community can have no effect on behaviour. 

This is in direct contrast with a game like EverQuest. In EverQuest, a 
player’s ability to be a nuisance to others depends on his level of skills. These 
skills and talents can only be acquired by dedicating hours to an avatar, in team- 
based operations with other avatars. As a result, advancement in the game ne- 
cessitates that a player become recognized for good play, so as to be invited into 
teams or guilds. A player who breaches the unwritten rules will not advance 
very far, purely on grounds of reputation. Indeed, there is little or nothing a 
player can achieve in EverQuest without the help of others. A player may 
weigh up starting again to obtain a new reputation by simply creating a new 
avatar; however, the new avatars are so weak and poor that they can be of very 
little use to anyone. (http://town.uo.com/bnn ) 

If any of these virtual worlds arbitrarily altered or deleted a player’s re- 
putation despite the fact that the community had created it, there is little assu- 
rance that robust and persistent identities would be developed. Reputation 
scores and collaborative filtering devices are signalling mechanisms for suc- 
cessful collective action. Merely because that reputation depends on software 
tools for its articulation should not produce an exclusive property right for the 
platform owner without regard for the needs of the group. (Noveck, 2005) 


IV. Law 


What constitutes an appropriate interest in a particular piece of property, espe- 
cially when, as with intellectual property rights, you are dealing with creations 
of the human mind? An individual’s personal identification with all of her 
physical and mental capacities could give rise to personal identification with 
the intellectual products of those capacities — without any reference to ‘creati- 
vity’. For instance, if a person identifies with her own mental capacities, this 


416 








may cause her to identify first, with the process of using those capacities, and 
then with the products of those processes. It is possible that someone would 
identify more with the processes and less with the product, but unlikely in the 
virtual worlds discussed here. 

Assume that the individual identifies with (1) their capacities; and the- 
reby (2) the processes of using those capacities; and thereby (3) the intellectual 
products of these processes. One might conclude that step (1) is wrong, that 
the individual does not have any particular entitlement to identify with the ta- 
lents with which she is endowed. One might further consider that even the 
ability to expend effort to be determined by factors outside a person’s control 
and hence a morally impermissible criteria for distribution. (Rawls, 1971)[17] 

This counter-argument fails in virtual worlds. Each person has chosen who 
and what they want to be. They have chosen, albeit from a pre-selected set of 
criterion, their capacities and the process of using those capacities. Thus, they 
may have acquired a particular entitlement to identify with these talents. 

Justin Hughes (1998) in his article, The Personality Interest of Artists 
and Inventors in Intellectual Property, identified three separate personhood in- 
terests in intellectual property res:[18] (1) creativity; (2) intentionality; and 
(3) identification as the source of the res. (Hughes, 1998) They are as intrinsic 
to the virtual world as they are to the real world. He begins with creativity — 
a fundamental notion of copyright law — as a core personhood interest that 
blurs the notions of originality and personal expression. (Hughes, 1998) He re- 
fines this by following with intentionality. Black’s Law Dictionary (1990) de- 
fines intent as “design, resolve, or determination with which a person acts;” 
(Witters, 1939) “a state of mind in which a person seeks to accomplish a given 
result through a course of action;” (Wager, 1979) and “a mental attitude which 
can seldom be proved by circumstances from which it may be inferred.” (State, 
1975) Hughes ends with questioning whether merely being the source of res 
creates legitimate personhood interests that justify some sort of protection. 
(Hughes; 1998) These principles can be applied to both the players and cor- 
porate governors of virtual worlds in attempt to determine who has the stron- 
ger property rights in these creations. 


A. Creativity 


How fundamentally connected is creativity to individuality and identity? Cre- 
ativity as a characteristic is something we nurture in our children for their de- 
velopment as independent individuals. The identification of a certain work 
with a certain individual transpires with subtler expression, in a manner simi- 
lar to a particular defensive play in a chess tournament or a particular style of 
lighting scenes in a film[19] In these understated cases, there is a groping for 


417 


some new terminology like ‘critical judgment’ or ‘intellectual insight.’ As this 
is the case, then there is no wonder that the three ideas - creativity, originality, 
and personal expression — have become so completely entwined in law that 
there may be no simple or clear way to disentangle them, despite some courts’ 
and commentators’ attempts to keep originality and creativity conceptually se- 
parate and distinct. 

In the beginning, the traditional Common Law approach towards the re- 
quirement of originality was developed in England and is still enforceable 
there. This approach has served as a baseline for all other Common Law-based 
systems, including the early days of copyright law in the United States. The 
British approach could be described both as pragmatic and practical. “Origi- 
nality’ is equated with a minimum standard of labour, skill or judgment in the 
production of a work which must not be a copy of another work. There is no 
requirement of novelty or creativity in the protected work, but only a require- 
ment for some basic degree of skill and labour in the production of a work that 
is not a mere slavish copy of another work. (Stoke, 2001)[20] Consequently, 
British courts have tended to acknowledge copyright in almost any work which 
has even a slight element of labour and skill invested in its production, and is 
not a simple copy of another work.[21] 

If the choice and arrangement of source material demands more than a 
minimal standard of skill and labour, the final form of expression of the work 
will be entitled to a copyright which is independent and additional to the one 
which may exist in the source materials. (Cornish, 1999; Stokes, 2001) 

This approach must be read alongside another basic principle of copy- 
tight law well established in the British system: the idea-expression dicho- 
tomy rule which excludes mere facts from the protection of copyright. Hence, 
copyright subsists only in a particular form of expression, in which ideas and 
facts are conveyed, and not in the abstracted form of the facts and ideas which 
are embodied within an expression.[22] The true nature of the protection gran- 
ted to factual compilations was summarized clearly by the authors of Copin- 
ger and Skone James -- On Copyright (1999), who state that the merit of such 
works lies in the time and money spent in collecting and choosing the raw ma- 
terials and it is this skill and effort that the law really intends to protect in this 
context: “The skill and effort is not literary in any conventional sense but as a 
matter of convenience it is protected as a literary work.” Thus, intellectual 
creation or personal expression must be applied to the abstracted form of the 
facts in order for a copyright to subsist. This would then answer to the Oxford 
Dictionary’s (1975) definition of original, “. . . not imitative, novel in charac- 
ter or style, inventive, creative, thinking or acting for oneself...” 

The Privy Council case of Interlego AG v Tyco Industries Inc.(1988) 
which held that “[s]kill, labour, or judgement merely in the process of copying 


418 








cannot confer originality. . . [t]here must . . . be some element of material al- 
teration or embellishment which suffices to make the totality of the work an ori- 
ginal work.”(Id.) 

In the 1991 Feist decision, the U.S. Supreme Court unequivocally dec- 
lared that ‘originality’ as employed in copyright law should be defined at least 
partially by means of creativity: “Original, as the term is used in copyright, 
means only that the work was independently created by the author (as oppo- 
sed to copied from other works) and that it possesses at least some minimal de- 
gree of creativity. To be sure, the requisite level of creativity is extremely low, 
even a slight amount will suffice.”[23] 

The Feist decision has had influence beyond the borders of the United 
States and has reached other common law-based countries that have adopted 
the ruling of the United States Supreme Court, while abandoning their tradi- 
tional leaning towards the British approach. In Israel, the Supreme Court in the 
Interlego A/S v. Exin-Lines Bros. SA decision adopted the Feist ruling with re- 
gards to both the interpretation of the originality requirement and the general 
rejection of the ‘sweat of the brow’ doctrine and the labour theory as a legiti- 
mate interest for establishing a copyright claim. In Canada, a Canadian Fede- 
ral Court of Appeal withheld protection from a telephone directory 
arrangement,[24] even though other cases restricted the Ze ele-Direct (1997) pre- 
cedent to compilations and generally defined originality in more traditional 
common law terms. (Hager, 1998) 


B. Intentionality 


Intentionality is used here as a counterpart to ‘creativity’ and as a constituent part 
of ‘personality’. (Hughes, 1998) A common theme in philosophical discussions 
of intentions is a sense of their ‘nowness’ - that an intention is a desire or deci- 
sion being put into action.[25] There is no question that artistic works that seem 
imbued with creativity also seem imbued with the artist’s intention or purpose. 
As such, “[w]here the work constitutes a work that has both artistic intent and 
aspects of craftsmanship; it will attract copyright protection as a work of artistic 
craftsmanship.” (Lambretta, 2004) Dewey (1980) remarked that: “no matter 
how imaginative the material for a work of art, it issues from the state of reverie 
to become the matter of a work of art only when it is ordered and organized, and 
this effect is produced only when purpose controls selection and development of 
material.” This returns us to the concept of authorship in British copyright law. 
The author of a work is the person who creates it. (CPDA 1988 s 9(1)) In most 
work, this is self-evident. Author has also been defined at the person who gathers 
or organizes the material contained within a work and who selects, orders, and 
arranges that material. (Waterlow, 1995) 


419 





One might say that the person’s intentionality is intention in the process 
which led to creation of the res, not intention in the res itself. This, in turn, leads 
us from an exploration of the artist’s expression into exploration of her inten- 
tions, i.e., “what was she trying to express?” easily becomes “what was her in- 
tention?” To John Dewey, purpose was as keenly connected to one’s personality 
as creativity: “Purpose implicates in the most organic way an individual self. It 
is the purpose he entertains and acts upon that an individual most completely 
exhibits and realizes his most intimate selfhood. Control of material by a ‘self’ 
is control by more than just ‘mind’: it is control by the personality that has mind 
incorporated within it.” (Dewey, 1980) However, not just any intent is enough 
for a personhood interest in intellectual products; the individual must intend to 
produce some form or shape that does not yet exist. 


C. Sourcehood 


Besides creativity and intentionality, there may be another personality interest: 
identification as the source of the res. (Hughes, 1998) I suggest that this is a 
more basic aspect, but one which may resonate closely with players in a vir- 
tual world. The idea of ‘sourcehood’ takes two forms. The first is the purely 
private self-identification with the res. This is a private belief that one is the so- 
urce of the res. (Hughes, 1998) An example would be a player creating a di- 
stinctly unique avatar as opposed to accepting a generic avatar. On the other 
hand, it could be the computer programmer who created the code to allow ava- 
tars to acquire blue dye which, in turn, would allow them to have blue hair. 
Contrast this with the desire for the attention of others, recognition, or social 
place; a person who wants others to identify her and might try to achieve this 
recognition by ‘marking’ things as her own. (Hegel, 1952; Gordon, 1993) 
These markings could be the symbols a craftsman uses to identify his goods or 
it could be the marks that a guild might use to identify its members. This ‘so- 
urcehood’ interest, being identified as the source of some intellectual work, 
may be a personality justification. 

Certainly, the personhood interest in intellectual property is most often 
protected with a guarantee of social recognition: the right of attribution. (Berne 
Convention, article 6bis) Attribution rights protect sourcehood interests; ho- 
wever, in America these rights are not as developed as in Europe. In the Uni- 
ted States, the default position is that a source of intellectual property res does 
not have a right of attribution.[26] 

Although, self-identification and the desire for recognition from others 
are conceptually distinct, one can imagine creative people who identify with 
their work and do not want social recognition. Perhaps, an artist wants to avoid 
social recognition in order to maintain greater creative freedom. Or perhaps, 


420 








an individual wants to relate to others via a different identity provided by their 
avatar. In MMORPGs, this is where the aspect of role-playing is at its height. 
Virtual worlds are the domain of liquid identities. 

Even so, these two notions - self-identification as the source of a res and 
desire for social recognition through the res - are rarely disentangled. They 
are combined on the assumption that the person seeks social identification for 
those things with which she already self-identifies. The notion of identity is 
compelling when studying culture; “self” is the measure of reality. (Filiciak, 
2003) Protecting this “self” takes the form of social mores as much as laws. 
If the right of attribution is limited in our mores and laws, then so is the exten- 
sion of any other rights (i.e. to control the intellectual property res) relating to 
one who self-identifies with that res. 


V. Conclusion 


While the undertaking of designing enjoyable avatars and virtual worlds may 
be complex and somewhat byzantine, the fact remains that these virtual worlds 
are in demand which, consequently, suggests that they will have the net effect 
of increasing cumulative well-being.[27] “The junction of the new and the old 
is not a mere composition of forces, but is a recreation in which the present im- 
pulsion gets form and solidity while the old, the ‘stored,’ material is literally 
revived, given new life and soul through having to meet the new situation. It 
is this double change that converts an activity into an act of expression. Things 
in the environment that would otherwise be mere smooth channels or else blind 
obstructions become means, media. At the same time, things retained from the 
past experience that would grow stale from routine or inert from lack of use, 
become coefficients in new adventures and put on raiment of fresh meaning. 
Here are all the elements needed to define expression.” (Dewey, 1980) 

Dewey’s view is that both the subjects our minds engage and what we 
do with those subjects are the results of personal experience being reworked in 
the present tense. Because each of us is a unique experiential time line, wha- 
tever we produce constitutes personal expression. (Id.) Each of us is a unique 
order of experiences and each new creation might somehow be predictable and 
mechanical while staying beautiful and unique. (Noziack, 1989) 

As we delve deeper and wider into virtual spaces, both our identities and 
reputations are scattered across them. Control over online avatar identities will 
have many real-world consequences, because these clouds of bits may include 
our credit records, our buddy lists, our job records, personal references and 
other information regarding reputation, medical histories, certifications and 
academic transcripts. As soon as something is valuable and persistent, we seek 
to associate rights and duties with it. What will those rights be? And what will 


421 


be the law of online identity to which those rights apply? The rise of these 
types of difficult problems of choice in cyberspace has nothing to do with the. 
fact that human beings are interacting via avatars in virtual reality; it has eve- 
rything to do with the fact that they are human beings, interacting. 


Notes 


[1] Peter Steiner, page 61 of July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20) 
[2] This usage of the term was coined in 1985 by Chip Morningstar, a user of the first ava- 
tar environment created by LucasFilm called Habitat. Habitat lacked many of the features 
we have in today’s games such as quests and puzzles. It was more similar to a social MUD 
in which the interactivity between avatars was the ultimate goal. 

According to Encarta: “Avatar [Sanskrit]: 1. incarnation of Hindu deity: an incarnation 
of a Hindu deity in human or animal form, especially one of the incarnations of Vishnu 
such as Rama and Krishna. 2. embodiment of something: somebody who embodies, per- 
sonifies, or is the manifestation of an idea or concept. 3. image of person in virtual reality: 
a movable three-dimensional image that can be used to represent somebody in cyberspace, 
for example, an Internet user.” 

[3] It is significant to note that people talking about their activities while in the virtual world 
use the pronoun ‘I’, each identifying his or her ‘self? with their avatar they have created. 
[4] Fabricated monikers include Woody Allen (Allen Konigsberg), Alan Alda (Alphonso 
D’ Abruzzo), Anne Bancroft (Anna Maria Italiano), Pat Benatar (Patricia Andrejewski), 
Jack Benny (Benjamin Kubelsky), Mel Brooks (Melvin Kaminsky), George Burns (Na- 
than Birnbaum), Tom Cruise (Thomas Mapother IV), Tony Curtis (Bernard Schwartz), Kirk 
Douglas (Issur Danielovitch), Bob Dylan (Robert Zimmerman), Cary Grant (Archibald 
Leach), Elton John (Reg Dwight), Karl Malden (Mladen Sekulovich), Barry Manilow 
(Barry Alan Pincus), Ricky Martin (Enrique Martin Morales), Walter Matthau (Walter Ma- 
tuschanskayasky), Chuck Norris (Carlos Ray), George Orwell (Eric Blair), Jack Palance 
(Walter Palanuik), Martin Sheen (Ramon Estevez), Ringo Starr (Richard Starkey), Sting 
(Gordon Sumner), and Mark Twain (Samuel Clemens). For more examples, see Nom de 
Guerre, http://go.to/realnames. Such monikers are not always voluntarily adopted. Some 
performers have been pressured to use stage names. This was allegedly the case with John 
Mellencamp (ne John Mellencamp, but previously called Johnny Cougar, John Cougar, 
and John Cougar Mellencamp). See Wikipedia: John Cougar Mellencamp, 
http://en.wikipedia.org/wiki/John_ Cougar Mellencamp. Not all celebrities take or are for- 
ced to take this course - for instance, Madonna and Britney Spears are well known for the 
hyper-fabrication of their popular images, but have retained their birth names: Madonna Lo- 
uise Ciccone and Britney Jean Spears, respectively. 

[5] Though the symbol defies articulation, it has the benefit of being registered as a trade- 
mark and also subject to copyright protection, unlike the vast maj ority of personal names. 
Judge Posner explained: “The defendant, identified only as “Prince” in the caption of the 
various pleadings, is a well-known popular singer whose name at birth was Prince Rogers 
Nelson, but who for many years performed under the name Prince and since 1992 has re- 
ferred to himself by an unpronounceable symbol reproduced as Figure 1 at the end of this 
opinion. The symbol is his trademark but it is also a copyrighted work of visual art that li- 
censees of Prince have embodied in various forms, including jewellery, clothing, and mu- 
sical instruments.” Pickett v Prince, 207 F.3d 402, 403 (7th Cir. 2000) 

[6] “The very possibility of achieving stable mutual cooperation depends upon there being 
a good chance of a continuing interaction” because it is through repeat play that trust is de- 
veloped. 





422 








[7] Michel Foucault stressed that “there is no inside ‘self’, no essence making me who I 
am.” For Foucault, people do not have a 'real’ identity within themselves; that's just a way 
of talking about the self -- a discourse. An ‘identity' is communicated to others in your in- 
teractions with them, but this is not a fixed thing within a person. It is a shifting, temporary 
construction. 

[8] “Identity is used to mean ‘the condition of being a specified person’, or ‘the condition 
of being oneself ... and not another’. It clusters with the terms ‘personality’, ‘individuality’ 
and ‘individualism’, and, less fashionably, ‘soul’. It implies the existence for each person 
of private space or personal lebensraum, in which one’s attitudes and actions can define 
one’s self ... The dictionary definitions miss a vital aspect. The origin of the term implies 
equality or ‘one-ness’, but identities are no longer rationed to one per physiological speci- 
men. A person may adopt different identities at various times during a life-span, and some 
individuals maintain several at once. Nor are such multiple roles illegal or even used pri- 
marily for illegal purposes. Typical instances include women working in the professions, 
artists and novelists, and people working in positions which involve security exposure (such 
as prison wardens and psychiatric superintendents.)” (Clarke, 1994) 

[9] Anthony Giddens describes this as the “narrative of the self’. He believes our every- 
day activities consist in strengthening and reproducing a set of expectations (theory of struc- 
turation). 

[10] “There will be times and places where it may be alright or even desirable for people 
to be anonymous, perhaps in areas where confidential feedback is sought or where knowing 
specifically who someone is just is not important. Alongside such anonymity, there will be 
occasions and locations where any kind of dissimulation about identity is not only wrong, 
it is a felony.” said Irving Wladawsky-Berger, chairman emeritus of the IBM Academy of 
Technology, “For instance, an adult pretending to be a child so that they can enter a vir- 
tual world that's meant to be only for kids.” (Martens, 2007) 

[11] The history of video games indicates that there is no perfectly ‘reflective’ avatar; i.e., 
one that resembles the player visually (like in a mirror) and seems to gaze back on her. If 
the avatar is a reflection, its correspondence to embodied reality consists of mapping not 
of appearances but of control. One way to consider this ‘reflective relationship’ in third- 
person games such as the Tomb Raider series (1996 — present), in which a ‘chase camera’ 
follows the avatar but rarely reveals her face, is by analogy a two-mirror system. Positio- 
ning a hand mirror so that its reflection is visible in a larger mirror, I can, for example, 
glimpse the back of my own head: the image is still recognizably me, yet I do not return 
my own gaze. 

[12] Resolving problems is less likely to involve law enforcement and more likely to cen- 
tre around the contracts entered into when becoming a member of a particular virtual world, 
according to Beth Simone Noveck, a professor of law at the New York Law School. "We'll 
see the emergence of more sophisticated contract services,” she said, so that the residents 
in a virtual community set the rules on which their world is based and take all the major de- 
cisions on the criteria for the entry contract.” (Martens, 2007) 

[13] Tools such as OpenID and ClaimID are the beginnings of managing virtuosity across 
online spaces. OpenID allows people to carry their identity from one virtual place to ano- 
ther for convenience, while ClaimID gives them a tool to pool and manage their various re- 
putations. OpenID is a solution for the log-in problem of having multiple identities online. 
With OpenID, a person creates one master identity online at a site that he uses a lot and 
tends to remain logged in to--for instance, a social network site or a personal blog. When 
that person needs to identify himself to another new site, he points that site toward his main 
identity-providing site where he is already logged in. His main site sends the new site his 
log-in credentials, so the new site now knows who he is. In theory, if OpenID was adopted 
on every Web site around the Web, you'd need only one universal log-in and could forgo 


423 


the often tedious practice of remembering user names and passwords. 
http://www.openid.org/news.aspx; See also, http://www.virtuosity.com/ 

[14] It is a measure of reputation allowing us an assessment of risk in doing business with 
someone. In business at the moment of “transaction” (however it is defined) what is ne- 
eded is to know and determine is reputation. So, reputation devices like credit scores or a 
domain name system or eBay ratings have been created. See for example, 
http://pages.ebay.co.uk/help/feedback/building_your_reputation.html 

[15] Listed below are the different reputation levels. Generally speaking, you start out as 
neutral with most factions; gaining friendly takes some effort, but it’s not excessive. Ho- 
noured is a bit more challenging; revered and exalted are monumental accomplishments re- 
quiring tremendous effort. 











=| The highest level of reputation attainable with any faction. 





Special reputation level reserved for heroes. 








10% discount on bought items from vendors. 





Standard reputation level which gives access to certain vendor items. 


Standard reputation level for factions that are not on a players list and are not 
KOS (Kill on Sight). 











Reputation Guide at http://www.worldofwar.net/guides/reputation/ 

[16] AlphaWorld, is the oldest collaborative virtual world on the Internet, and home to mil- 
lions of people from all over the world. Since its birth in 1995, AlphaWorld attempted to 
do for 3D virtual worlds what web browsers did for the 2D Web: it created a tool for explo- 
ring and building three-dimensional spaces. The programmers at Active Worlds created a 
library of objects that users could assemble like Lego blocks into buildings, cars, and other 
composite structures. By 1998, they had released a software development kit that enabled 
users to build their own custom objects, called blocks. See The Active Worlds SDK, 
http://www.activeworlds.com/sdk, and particularly the timeline of changes to the SDK, at 
What’s New in the Active Worlds SDK, http:// www.activeworlds.com/sdk/whatsnew.htm. 
With these tools, Aipha World users have not only replicated Rome’s Coliseum, but have 
created entire parallel worlds. For all this construction and creativity, Active Worlds has 
never been a commercial success: it only instituted a monthly-fee model in September 
1997, and to date has only registered a total of 70,000 users, see The Activeworlds Corpo- 
ration: Company Information, http://www.activeworlds.com/info/index.asp, partially be- 
cause the world has no teleology. See Raph Koster, MUDs Versus MMORPGs, 
http://www.legendmud.org/raph/gaming/mudsvsmassive html. That said, AlphaWorld set 
the stage for a new generation of virtual worlds, like Linden Lab’s Second Life, that not only 
offer malleability to their users, but also economic freedom to sell their creations in both 
virtual markets and real-world exchanges. Alpha World has rapidly grown in size and is ro- 
ughly as large as the state of California, and now exceeds 60 million virtual objects. 
http://www.activeworlds.com/worlds/alphaworld/ 

[17] “The assertion that a man deserves the superior character that enables him to make the 
effort to cultivate his abilities is equally problematic; for his character depends in large part 
upon fortunate family and social circumstances for which he can claim no credit.” 

[18] “Res is everything that may form an object of rights and includes an object, subject- 














424 








matter, or status.” Black’s Law Dictionary (1990) citing In re Riggles Will, 205 N.Y.S.2d 
19 (N.Y. App. Div. 1960) 

[19] In discussing the development of a few leading cinematographers from the Hollywood 
studio system of the 1930s, John Bailey said: “Coming out of that [studio system were] 
some really stellar people ... who had such strength and such individual voice that they 
kind of transcended whatever studio they happened to be working for. Today you can look 
back and very easily recognize their films from the look irrespective of the director.” Visions 
of Light (Arnold Glassman, director, 1994). 

[20]University of London Press Ltd. v University Tutorial Ltd. [1916] 2 Ch. 601, 608-609, 
in which it has been declared that: “The word ‘original’ does not in this context mean that 
the work must be the expression of original inventive thought. Copyright acts are not con- 
cerned with the originality of ideas but with the expression of thought, and in the case ofa 
‘literal work’, with the expression of thought in print or writing. The originality which is 
required relates to the expression of the thought. But the Act does not require that the 
expression must be in an original or novel form, but that the work must not be copied from 
another work -- that it should originate from the author.” 

[21] Thus, the requirement of originality was acknowledged with regards to mundane fac- 
tual compilations, (See Ladbroke (Football) Ltd v William Hill (Football) Ltd (H.L(E.)) 
[1964] 1 W.L.R 273, 287, 289, 292, 1 All ER 465) such as a chronological list of sports’ 
matches (See Football League v Littlewoods [1959] Ch. 637, 2 All E.R. 546, 3 W.L.R. 42); 
a transcript of a public speech as it was documented by a skilful journalist (See Walter v 
Lane [1900] A.C., 539); listings of programs to be broadcast (See Independent Television 
Publications v Time Out [1984] F.S.R. 64); and ‘unoriginal works’ which concentrate so- 
lely on the documentation of another work such as photographs of paintings or objects in 
a collection. (See Antiquesportfolio.com ple. Rodney Fitch & Co. Ltd. [2001] FSR 345, at 
352-354) The cases which did not meet this basic requirement were cases such as a sligh- 
tly enlarged image produced by using a simple photocopier (See The Reject Shop ple v 
Manners [1995] FSR 870, at 876); or short slogans or titles. (See Rose v Information Se- 
rvices Ltd. [1981] FSR 254) 

[22] This basic rule is stated in many cases. For a recent House of Lords decision referring 
and applying the Idea-Expression Dichotomy, see Designers Guild Ltd. v Russell Williams 
(Textiles) Ltd. (H.L.(E.)). [2000] 1 W.L.R. 2416, at 2422-2423, [1 All E.R. 700] For exam- 
ples of factual information in the context, see e.g. Walter v Steinkopff [1892] 3 Ch. 489; 
Express Newspapers v News (UK) [1991] F.S.R. 36, at 41. 

[23] Id. at 345. In the statutory grant that “copyright protection subsists ... in original works 
of authorship,” 17 U.S.C. §102(a) (1988 & Supp. IV 1992), ‘original’ is interpreted as ha- 
ving ‘originality’ or meeting the ‘requirement of originality ....’ See Key Publications v 
Chinatown Today Publications, 945 F.2d 509, 512 (1991). 

[24] See also CCH Canadian Ltd. v Law Society of Upper Canada (1999) 2 C.P.R. (4th) 
129 (Fed. Ct.) (in which a compiling reported judicial decisions, even adding headnotes and 
other matters, has been found as lacking the ‘creative spark’ essential to a finding of origi- 
nality). By contrast, in another case, different facts, such as the selection of information use- 
ful for the community, the court has allowed to distinguish another telephone directory as 
original (Ital-Press Ltd. v Sicoli (1999) 86 C.P.R. (3d) 129 (Fed. Ct.) (telephone directory 
of Italian-Canadians in the Edmonton area)). 

[25] Hughes (1998), Personality Interests quoting Castaneda: “intending to do something 
is to be already in the process of doing it, even if merely by having undergone a re-arran- 
gement of the causal powers within oneself in the direction of the action one intends to 
do.” and Charles Taylor: “awareness of [an] intention incorporates, and may be nothing 
more than, our awareness of what we are doing intentionally.” 

[26] See, e.g., Cleary v News Corp., 30 F.3d 1255, 1259-60 (9th Cir. 1994); Vargas v Esqu- 


425 





ire, Inc., 164 F.2d 522, 524-27 (Tth Cir. 1947) (holding that an artist could not claim a right 
of attribution against a magazine where the artist granted the magazine all rights to his dra- 
wings in exchange for monthly compensation); Nelson v Radio Corp. of Am., 148 F. Supp. 
1 (S.D. Fla. 1957) (denying a singer a right of attribution in the context of a master/servant 
relationship between recording company and singer and absent agreement to provide label 
credit) 
[27] IBM believes that virtual worlds and other 3D Internet environments offer significant 
opportunity to our company, our clients and the world at large, as they evolve, grow in use 
and popularity, and become more integrated into many aspects of business and society. As 
an innovation-based company, IBM encourages employees to explore responsibly and to 
further the development of such new spaces of relationship-building, learning and colla- 
boration. As we engage in these new environments, IBMers should follow and be guided 
first and foremost by our values and our Business Conduct Guidelines. JBM Virtual World 
Guidelines at http://domino.research.ibm.com/comm/research _ projects.nsf/pages/ virtual- 
worlds.IBM Virtual WorldGuidelines.html 


References 


© Feist Publications, Inc. v Rural Tel. Serv. Co., 499 U.S. 340 (1991) 

@ Hager v ECW Press Ltd. [1998] 2 F.C. 287, 85 C.P.R. (3d) 289 (Fed. Ct.) 

© Interlego AG v Tyco Industries Inc. [1988] 3 All E.R. 949 at 970 per Lord Oliver (ap- 
peal taken from Hong Kong) 

© Interlego A/S V Exin-Lines Bros. SA, 48(4) PD., 133 C.A. 513/89 

© Lambretta Clothing Co Ltd v Teddy Smith (UK) Ltd [2003] RPC 41, 2003 WL 
21353286 (Ch D), [2003] EWHC 1204, [2004] EWCA Civ 886 

© State v Gantt, 26 N.C. App. 554, 217 S.E. 2d 3 (N.C. App. Div. 1975) 

© Tele-Direct (Publications) Inc. v American Business Information, Inc. (1997) 76 
C.P.R. (3d) 296 (Fed. C.A.), rev denied, 1998 

© Wager v Pro, C.A., 195 U.S. App. D.C. 423, 603 F.2d 1005 (D.C. Cir. 1979) 

© Waterlow Publishers Ltd v Rose [1995] FSR 207 

© Witters v United States, 70 U.S. App. D.C. 316, 106 F.2d 837 (D.C. Cir. 1939) 


1. Alexandra Alter, Js This Man Cheating on His Wife? The Wall Street Journal, Aug. 
10, 2007 

2. Robert Axelrod, The Evolution of Cooperation, (New York: Perseus Book Group, 
1984) 

3. Black’s Law Dictionary, 6" ed. (St. Paul. MN: West Publishing, 1990) 

Jay David Bolter, Turings Man: Western Culture in the Computer Age (Chapel Hill, 
NC: University of North Carolina Press, 1984) 

5. Joseph Campbell, The Hero with a Thousand Faces (Princeton, NJ: Princeton Uni- 
versity Press, 1972) citing Carl Jung, The Undiscovered Self (New York: Signet 
Books, reissue 1959) 

6. Edward Castronova, Theory of the Avatar, CESifo Working Paper Series No. 863 (Fe- 
bruary 2003) 

7. Roger A. Clarke, Human Identification in Information Systems: Management Chal- 
lenges and Public Policy Issues, 7 Information Tech. & People 4, 6-37 (1994), ava- 
ilable at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html 

8. William R. Cornish, Intellectual Property -- Patents, Copyright, Trade Marks and 
Allied Rights, 4" ed. (London: Sweet & Maxwell, 1999) 


426 








11. 


12. 
13. 


20. 


21. 


22. 


23. 


24. 


25. 


26. 


27. 


28. 


29. 


Bruce Damer, Avatars! (Berkeley, CA: Peachpit Press, 1998) 

Paul A. David, “From Keeping ‘Nature’s Secrets’ to the Institutionalization of ‘Open 
Science’” in CODE: Collaborative Ownership and the Digital Economy, Rishab 
Aiyer Ghosh, ed. ( 2005) 

Erik Davies, Synthetic Mediations: Cogito in the Matrix in Darren Toffts, Anne Marie 
Jonson, and Alessio Cavallaro edited ‘Prefiguring Cyberculture: An Intellectual His- 
tory’ (Cambridge, MA: MIT Press, 2002) 

John Dewey, Art as Experience (New York: Perigee Books, 1980) 

Miroslaw Filiciak, Hyperidentities — Post-modern Identity Patterns in Massively Mul- 
tiplayer Online Role-Playing Games in Mark J.P. Wolf & Bernard Perron edited “The 
Video Game Theory Reader’ (London: Routledge, 2003) 

Michel Foucault, Power/Knowledge: Selected Interviews and Other Writings 1972- 
1977, edited by Colin Gordon, (London: Harvester, 1980), (See in particular 'The 
Confession of the Flesh’ [interview, 1977]) 

K. Garnett, J.R. James, G. Davies, Copinger and Skone James -- On Copyright 14" 
ed. (London: Sweet & Maxwell, 1999) 

David Gauntlett, “Anthony Giddens: The Theory of Structuration”, extract of Media, 
Gender, and Identity: An Introduction (London and New York: Routledge, 2002) 
Kris Gautier, Electronic Commerce: Confronting The Legal Challenge of Building E- 
dentities in Cyberspace, 20 Miss. C.L. Rev. 117 (1999) 

Erving Goffman, The Presentation of Self in Everyday Life (New York: Basic Books, 
1959) 

Justin Hughes, The Personality Interest of Artists and Inventors in Intellectual Pro- 
perty, 16 Cardozo Arts & Ent LJ 81 (1998) 

Steven Johnson, Interface Culture: How New Technology Transforms the Way We 
Create and Communicate (San Francisco, CA: Harper Edge, 1997) 

Raph Koster, A Declaration of the Rights of Avatars (27 August 2000) at 
http://raphkoster.com/gaming/playerrights.shtml 

F. Gregory Lastowka and Dan Hunter, The Laws of the Virtual World, 92 Calif. L. 
Rev. 1 (2004) 

Lawrence Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 
1999) 

China Martens, IDG News Service, Boston Bureau, WORLDBEAT: ID malleability 
creates virtual-world issues, IDG News Service 6/27/2007 at http://www.itworld.com/ 
Net/2614/070627id/ 

Jennifer Mnookin, Virtual(ly) Law: The Emergence of Law in LambdaMOO, 2 J. 
Computer-Mediated Comm. (1996) at http://www.ascusc.org/jcme/vol2/issue1/ 
lambda.btml 

Juliet M. Moringiello, Signals, Assent, and Internet Contracting, 57 Rutgers L. Rev. 
1307 (2005) 

Chip Morningstar and F. Randall Farmer, The Lessons of LucasFilm 3 Habitat, in Cy- 
berspace: First Steps (Michael Benedikt ed., 1991), available at 
http://www.fudco.com/chip/lessons.html 

Beth Simone Noveck, Trademark Law and The Social Construction of Trust: Creat- 
ing The Legal Framework for Online Identity, 83 Wash. U. L. Q. 1733 (2005) 


Robert Nozick, The Examined Life (New York: Simon & Schuster, 1989) 


427 


30. 
31. 
32. 


33. 


34. 


35. 


36. 
37. 


38. 
39. 


The Pocket Oxford Dictionary (Oxford: Clarendon Press, 1975) 

John Rawls, A Theory of Justice (Boston, MA: Bellnap Press, 1971) 

Bob Rehak, Playing at Being: Psychoanalysis and the Avatar in Mark J.P. Wolf & Ber- 
nard Perron edited ‘The Video Game Theory Reader’ (London: Routledge, 2003) 
Elizabeth Reid, “Text-based Virtual Realities: Identity and the Cyborg Body” (1994) 
at http://www.aluluei.com/cult-form.htm 


Paul Resnick, Richard Zeckhauser, John Swanson, and Kate Lockwood, The Value of 
Reputation on eBay: A Controlled Experiment, Experimental Economics, Volume 9, 
Issue 2, Jun 2006, Page 79-101 


Pamela Samuelson, et al 4 Manifesto Concerning the Legal Protection of Computer 
Programs, 94 Columbia Law Review 2308 (1994) 


Simon S. Stokes, Art and Copyright (Oxford: Hart Publishing, 2001) 


Sherry Turkle, Life on the Screen: Identity in the Age of the Internet (New York: 
Simon & Schuster, 1995) 


Mark Walsh, J, Product Wired Magazine May 2004 


Linda Zimmer, Identity versus Reputation: Wandering and Wondering in Virtual 
Spaces, posted 21 May, 2000 at http://freshtakes.typepad.com/sl_communica- 
tors/2007/05/identity_versus.html 


428 








Choice of Law, Jurisdiction, and Recognition and 
Enforcement of Judgements in E-commerce in South 
Africa 


Omphemetse Sibanda 
Associate Professor of Law 
University of South Africa, Pretoria, South Africa 
sibanos@unisa.ac.za 





Abstract: In South Africa, e-commerce is regulated through the 
Electronic Communications and Transactions Act (ECTA) 25 of 2002. 
The Act is the first functional equivalent for the country’s traditional 
paper-based contracts legislation. ECTA seeks to ensure that the South 
African e-commerce market conforms to international standards, and 
provides consumers and business with an efficient and effective way of 
doing business. The issues of jurisdiction and applicable law may pres- 
ent themselves as obstacles in implementing ECTA. Courts around the 
world found themselves experiencing difficulties in dealing with them. 
ECTA disregard the choice of applicable law by the parties in a rather ex- 
treme and radical manner. The choice of law is important element in e- 
contracting and fits-well into the expanded trade and market access 
presented by e-commerce. Policy considerations behind restrictions on 
the choice of applicable law may be understandable. However, such con- 
siderations should bear in mind that the parties’ freedom to contract is 
integral to business transactions. ECTA choice of law restriction has the 
potential to stagnate the development of cross-border e-commerce in 
South Africa, and characterisation of South Africa as an unacceptable 
jurisdiction. ECTA drafter could have taken a middle approach to choice 
of law based on reasonableness and equity; or on the dictates of public 
policy instead of the total exclusion of choice of law. This is the appro- 
ach mixing preferential law and the minimum rights-protection appro- 
ach. ECTA is silent on both the aspects of using a South African court 
as a forum for adjudication e-contracts disputes, and the enforcement 
and recognition of foreign judgments. This has left an uncertainty re- 
lating to jurisdictional connecting factors in the context of e-contracts. 
In particular, the jurisdictional connecting factors pursuant to the Mag- 
istrates’ Courts Act of 1944 contain requirements difficult to apply in 
breach of e-contracts. In respect to the recognition and enforcement of 
foreign judgments, and awards the current law and practice suffices to 
be applied as is to e-contracts. The revelation in this study is that ECTA 
to a certain extend does not leave up to South Africa’s vision of an elec- 
tronic transaction policy which takes due cognisance of international 
best practices and conformity with the law and guidelines of compara- 
tive national jurisdictions and international bodies. The law need to be 
properly aligned with international e-commerce trends and develop- 
ments. 


429 


1.0 Introduction 


Electronic commerce - conducting of business electronically or using of elec- 
tronic networks to conduct business - is a practice which is accepted globally. 
Many people and businesses conclude automated [ 1].transaction almost eve- 
ryday worldwide. In South Africa, e-commerce is said to touch all major 
aspects of economic life. [2] It was therefore important that South Africa put 
in place contract regime that will accommodate transactions concluded elec- 
tronically. The Southern African Development Community (SADC), to which 
South Africa is one of the members, [3] recently adopted a model e-commerce 
law to guide the regulatory and legislative measures by member states. South 
Africa long legislated e-commerce under the Electronic Communications and 
Transactions Act (ECTA) 25 of 2002, which is modeled partly on the United 
Nations Commission on International Trade Law Model Law on E-Commerce 
(UNCITRAL Model Law) of 1996, [4]and European Union Directives on e- 
commerce. 

There are several issues that require a very circumspect consideration 
when deciding to regulate e-commerce, as opposed to regulating paper-based 
contract environment. Such as issues of applicable law; jurisdiction; and reco- 
gnition and enforcement of judgments. These issues are struggle issues inter- 
nationally in the realm of e-commerce, and courts around the world found 
themselves experiencing difficulties in dealing with them. Non-regulation 
and/or any undue, excessive restrictions, and ambiguity over these issues poses 
a problem in e-commerce more so like it would in the traditional contract envi- 
ronment. 

This paper briefly examines aspects of applicable law; jurisdiction; re- 
cognition and enforcement of judgments in e-commerce. The examination is 
carried out against the backdrop of the manner in which the issues of jurisdic- 
tion and applicable law are dealt with under the traditional South African law 
of contract. Part 2 will provide a brief background on the regulatory and legi- 
slative framework of e-commerce in South Africa. In part 3, we will critically 
appraise the choice of law provision under ECTA, which to a particular extend 
deviate from the accepted common law unlimited choice of law approach go- 
verning paper-based contracts in South Africa in favour of a total exclusion of 
choice in e-contracts in relation to the socalled minimum rights. In Part 3 we 
will also discuss the aspects of jurisdiction. Jurisdiction issues in e-commerce 
are not be adequately dealt with by ECTA except for a provision dealing with 
cyber offences. We conclude that if ECTA fails to address some of the juris- 
dictional problems, the South African private international law, or “conflict of 
laws” as it sometimes referred to, should be called in to determine the issue. In 


430 








any event the peremptory rule is that ECTA cannot be interpreted to “exclude 
any statutory law or common law from being applied to ...accommodate elec- 
tronic transactions.” (§3 of ECTA) Part 3 further discusses the recognition and 
enforcement of foreign judgments under ECTA. It is here noted that ECTA is 
silent on the subject. Recourse should therefore be to the current private inter- 
national law rules, and other legislative instruments. This paper is then conc- 
luded in Part 4 reflecting on the discussions in the afore-going Parts. 

Note that ECTA has recently been enacted and its application in respect 
of the subject of this paper in the South African courts remains to be seen. At 
the writing of there paper we were not aware of any case on the subject of this 
paper in South Africa. This paper thus relies largely on analysis of ECTA and 
comparative jurisprudence where necessary. 


2. Background 
2.1 ECTA in Brief 


ECTA came into force on 30 August 2002. It is specifically enacted to deal 
with e-commerce issues that could not be adequately dealt with by the legi- 
slation then in place. From a jurisprudence and legal development point of 
view the hype around legislative regulation of e-commerce in South Africa is 
understandable. ECTA is the country’s first omnibus legislation enacted to deal 
specifically with e-commerce issues. It aims at establishing a formal regime 
and legal framework to define, develop, govern and regulate electronic com- 
merce. It also satisfies the need to regulate electronic transaction with a view 
of affording protection to consumers. Note that part of the process towards the 
enactment of ECTA was the identification of existing contract specific or re- 
lated legislation and to determine their appropriateness to e-commerce. The 
result was that the existing legislation was found not to adequately cater for e- 
commerce. 

The main objective of ECTA is to enable and facilitate electronic com- 
munication and transactions. ECTA amongst others seeks to ensure legal cer- 
tainty and confidence in e-transactions[6]; to ensure that the South African 
e-commerce market conforms to international standards [7] to provide con- 
sumers and business with an efficient and effective way of doing busi- 
ness[8]and to put in place a functional equivalent for the country’s traditional 
paper-based commercial legislation.[9]ECTA covers a wide range of issues rel- 
evant to e-commerce. One of the factors that makes ECTA so distinctive is that 
is contains the first statutory provisions on cyber crime in the South African 
legal history. [10] 


431 





2.2 Choice of Law in Traditional Contracts 


The South African common law of contract affords the parties the freedom to 
contract, sometimes referred to as the principle of party autonomy, in terms of 
which the parties are free to choose a particular law to govern their contract, 
amongst others, and which should generally be given legal effect by the courts. 
One of the chief proponents of freedom to contract, Von Hippol, refers to this 
as “private autonomy.” [11] This party autonomy is long accepted and endor- 
sed by courts as the cornerstone of the South African law of contracts. [12] 
Writing on the sanctity of exemption clauses in South Africa, Hopkins stated 
that “contractual freedom” demand that “we respect the autonomy of consen- 
ting adult parties in their contract-making.” [13] In a case to determine the en- 
forceability of non-variation clauses in contracts Cameron JA in Brisley v 
Drotsky 2002 (4) SA 1 (SCA) held that “the Constitution's values of dignity and 
equality and freedom require that the Courts approach their task of striking 
down contracts or declining to enforce them with perceptive restraint. ... that 
contractual autonomy is part of freedom. Shorn of its obscene excesses, con- 
tractual autonomy informs also the constitutional value of dignity.” 

The enforcement of the parties chosen law is not as cut and dry as it ap- 
pears. In determining applicable law, and the parties’ freedom to choose the 
applicable law, we need to draw a line between substantive and adjective law. 
Adjective law may pre-emptively place restrictions on the parties’ right to cho- 
ose applicable law. A case in point is the United States court that has held do- 
ubtful the parties freedom to “allocate burdens of proof, establish standards of 
proof, or, in other respects, control judicial fact-finding procedures in actions 
arising out of their contracts.”[14] 

In the field of commercial arbitration, the principle of party autonomy 
allows the parties the freedom to determine the procedure to be followed in 
the arbitration, subject any other law aimed at ensuring procedural fairness. 
Generally, parties may choose the law applicable to the arbitration agreement 
and the arbitrator shall then apply it. [15] This can be attributed to the fact that 
arbitration is inherently creature of contract. According to the UNCITRAL Ar- 
bitration Model Law, the tribunal may decide ex aeuo et bono or amiable com- 
positeur (according to justice and fairness, rather than specific legal rules 
and/or principles) only if so authorised by the parties.[16 ] 


2.3 Section 47 of ECTA and choice of law 


It is instructive to note that the autonomy of the parties to choose applicable law 
is not always unfettered. Applicable mandatory rules may not be excluded by 
agreement. Procedural law is most frequently governed by the law of the ju- 


432 








risdiction that is a seat of arbitration, the lex loci arbitri. E-commerce dispu- 
tes, like international commercial arbitration disputes, are inherently trans-bor- 
der and /or trans-national, and the contract thereto attracts the possibility of a 
number of potentially applicable laws, from either one jurisdiction or different 
jurisdictions. [17 ] 

The relevant part of section of 47 of ECTA on applicability of foreign 
law in e-commerce states: “The protection provided to consumers in this Chap- 
ter, applies irrespective of the legal system applicable to the agreement in qu- 
estion.” Section 47 is read with the non-exclusion provisions of section 48, 
which states: “Any provision in an agreement which excludes any rights pro- 
vided for in this Chapter is null and void.” 


3. Analysis of ECTA 
3.1 Choice of Foreign Law 


The parties’ freedom to contract, which as indicated in 2.2 above as integral to 
the traditional South African paper-based contracts, is also important to e-con- 
tracts. One aspect of freedom to contract, the choice of applicable law, is an im- 
portant element in e-contracting. The inherent nature of e-commerce is that 
different parties may be involved with each other across national and regional 
borders and continents. The consequence of this interaction is that a variety of 
different legal sources may be applicable. In the perfect world parties to e-con- 
tract should be allowed to take advantage of these choices. 

In this context an interesting provision to note is section 47 of ECTA, en- 
titled “applicability of foreign law,” Section 47 states that “the protection pro- 
vided to consumers in Chapter 7 of ECTA will apply“ irrespective of the legal 
system applicable to the agreement in question.” The protections referred he- 
reto include those in respect of the provision of information to consumers[18]; 
the cooling-off period; [19]; unsolicited commercial information and goods; 
[20 ] and performance of the supplier’s contractual obligations. [21] Section 47 
is commendable in as far as it attempt to afford juridical protection to consu- 
mers, who are generally regarded as the weakest link in e-contracts. However, 
in trying to afford protection to consumers the South African legislature in my 
view went overboard, and trotted between overregulation and encroachment of 
accepted legal principles of contract. In fact literal interpretation of section 47 
concludes that the section prohibits reliance on any applicable law other than 
South African law. Put differently, ECTA is in this regard made mandatory law, 
which should be applied by the courts notwithstanding the terms of the contract 
between the parties. Gerada is of the view that critics provide *misconceived 
analysis” of section 47 by asserting that is highly prescriptive and onerous.[22] 


433 





He tries to counter the critics in this respect by stating that section 47 provision 
is contained in most electronic legislation in foreign countries and it reflects the 
UNCITRAL Model Law. Unfortunately he fails to substantiate his assertions. 
[23] 

Section 47 is akin to mandating the law of the consumer’s habitual re- 
sidence to override the contractual choice of law in a stricter manner than in the 
European Union, [24] in particular the EC Directive 97/7 on the Protections 
of Consumers in respect of Distance Selling Contracts[25] (EC Directive on 
Distance Selling), which influenced the consumer protection provision in 
ECTA. [25] As Gerada argues, ECTA provides for consumer protections in e- 
commerce like EC Directives do. The two however implements these consu- 
mer protections differently. For instance, section 47 of ECTA differs 
fundamentally from article 12(1) and (2) of the EC Directive on Distance Sel- 
ling which also gives effect to consumer protection. Article 12(1) provides that 
a consumer “may not waive the rights conferred” on him by the transposition 
of this Directive into national law. In cases were the law of a non-member sta- 
tes is chosen as applicable law and a consumer has a close connection with the 
territory of one or more Member States, Article 12(2) provides that member sta- 
tes are required to ensured that such consumer does not lose the protection 
granted by the Directive. Clearly section 47, read with section 48, is couched 
in mandatory and prescriptive terms, while article 12(1) is couched permissi- 
vely. Furthermore, Article 12(2) prima facie calls for assurance of minimum 
protections of consumer particularly when dealing with non-Member states. 
In any event, the comparison between ECTA and EU law is not a proper and 
valid comparison. The latter at least provides a choice of jurisdiction within a 
community of member states. The problem of exercising this choice arises ma- 
inly when the jurisdiction of a non-member is chosen as applicable law. 

The non-applicability of chosen foreign law pursuant section 47 is given 
more venom by section 48. The latter renders any contractual clause purpor- 
ting to exclude rights and protections under Chapter VII “null and void.” Thus 
the consumer protections provisions in section 42 cannot be contracted out in 
any way. [26] The question to be asked is whether this stringent choice of ap- 
plicable law approach in e-commerce is warranted? A Policy consideration 
behind restrictions notwithstanding, the approach is very difficult to defend. To 
begin with, the South African legal system is replete with laws that can ade- 
quately give consumers the needed protection which can apply mutatis mu- 
tandis even to e-contracts. For instance, the Promotion of Access to 
Information Act of 2 of 2002 may be used to protect to personal data. [27] 

Furthermore, section 47 could have ideally been much more attractive 
if it was couched permissively as a default provision. A mandatory choice of 


434 








law as provision as is section 47 read with section 48 makes little sense in e- 
commerce. ECTA was design to do away with dissimilarities that may arise 
between the traditional paper-based transactions and e-transactions, and not to 
perpetuate them. One of the ways to doing that was to allow parties to e-trans- 
actions some “fair amount of flexibility” in negotiating their private law solu- 
tions. [28] The form of protection envisaged in section 47 may stagnate the 
development of cross-border e-commerce in South Africa. It has the potential 
of characterising South Africa as an unacceptable jurisdiction. [29] This nega- 
tive characteristic can bring about parties negotiating their e-transactions in 
such a way that the risk of litigation in South Africa is minimised or avoided. 

In my view the drafters of ECTA could have taken the middle approach 
of subjecting the parties’ choice of law to the requirement of reasonableness 
and equity; or to the dictates of public policy as it is a trite law in South African 
courts. [30] Thus, the provision could have stated that the parties to an e-trans- 
action may choose any law to apply to their contract, including foreign law, 
provided that such as choice of applicable law is not unreasonable and unjust 
in relation to a consumer contract. Perhaps I should note that some of the ri- 
ghts sought to be protected by section 47, such as the right to information, de- 
rive from the Bill of Rights in the Constitution of the Republic of South Africa 
of 1996. Mindful of the fact that the Constitution is the Supreme law of South 
Africa, the same right is in the Constitution not cast in absolute non-derogation 
terms. In fact, section 36 of the Constitution allows some deviation from the 
Rights in the Bill of Rights provided such deviation or limitation is reasonable 
and justifiable. Therefore, even from a constitutional perspective the enforce- 
ment of a choice of applicable law in e-contracts will be acceptable, though li- 
miting the consumer’s right as contained in Chapter 7 of ECTA, as far as its 
existence in the contract is reasonable and justifiable. 

The argument here is that instead of the total exclusion of choice of law 
adopted in e-contracts the South African legislature should have adopted a 
mixed approach. An approach somewhere between preferential law which, ac- 
cording to Zheng Tang, leaves open recourse to a law more favourable to con- 
sumer which is often the law of the consumer’s habitual residence, but also 
not excluding the law of the supplier of services;[31] and the minimum rights- 
protection approach that involves directives on fairness in contract terms, and 
advertising, etcetera. [32] Interestingly, the minimum rights approach obtains 
in the National Credit Act (NCA) 34 of 2005 (NAC) albeit in a slightly diffe- 
rent context. Section 55 of the latter, for instance, treat is void or voidable any 
contract provisions including that of requiring a consumer to his/her waive ri- 
ghts under the Act, or imposing a limited liability on the supplier. 


435 





3.2 Jurisdiction 
3.2.1 In respect of connecting factors 


ECTA is silent on the issue of a South African court as a forum to adjudicate 
e-commerce disputes. In this regard one has to look at the prevailing law and 
practice. Generally, in determining if a South African court is an appropriate 
forum in contractual matters the following questions are asked: Where did the 
cause of action arose; where the defendant is domiciled, resident, or employed; 
where is the defendant carrying on business; or whether the parties chose the 
South African law as the law governing their contract. [33] Moreover, South 
African courts can be adjudication forum by virtue of submission. 

In ordinary contractual disputes the determination of jurisdiction a forum 
becomes not much of a problem when applying the above-mentioned indices. 
However, it may be very difficult to apply these determinants in an e-com- 
merce context. Particularly problematic will the jurisdiction on the basis of a 
cause of action. Take for example, section 28(1)(d) of the South African Ma- 
gistrates’ Courts Act 32 of 1944 which empowers the courts to have jurisdic- 
tion over any person, whether of not such person resides, carries on business 
or is employed within the district of that court, provided the cause of action 
“arose wholly within the district” of the court. In fact the entire section 28 of 
the Magistrates’ Courts Act in essence resembles the minimum contacts requ- 
irement standard, which has comparatively been employed in e-commerce in 
other jurisdictions such as Maine and Utah. The Maine courts, for example, 
have used the “minimum contacts” rule to address this problem. In McBee v 
Delica Co., No. 02-198-P-C (D. Me. 2003) the court held that transactions with 
Miane residents constituted minimum contacts sufficient to bestow jurisdic- 
tion on a Maine court. In this case the minimum contact was established as a 
result of the defendant having used the name of a Maine resident in on its clo- 
thing. The Utah court in Denn v. MLeads Enterprises, In., 103 P.3D 156 (Utah 
Ct. Appl. 2004) found that minimum contact existed as a result of the defen- 
dant having purposely directed its activities through email to Utah residents. 

The current legislative recourses in South Africa not withstanding, in 
my opinion the legislature should have at least given a direction or guidance 
in some difficult aspects of jurisdiction. Take, for example, problems that may 
be experienced in the following: In respect to a claim related to a contract, the 
word “wholly” means that it must be shown not only that the contract was 
concluded within the magisterial district concerned, but that the breach occur- 
red there as well in order for the magistrate to be vested with jurisdiction. This 
is a difficult requirement to satisfy in e-commerce. E-commerce lacks a speci- 
fic geographical location. How would one determine, for example, the conc- 


436 








lusion of a contract and breach thereof, in order to decide that a South African 
magistrate court is the appropriate forum to govern the dispute between the e- 
contractants? 


3.2.2 In Respect of Criminal Offences 


Chapter XIII of ECTA sets out the first statutory criminal provisions on cyber 
offences in the history of South African law. The offences relate to activities 
like hacking; tapping into data flows; release or transfer of computer viruses, 
and computer related extortion, fraud and forgery. The jurisdiction in respect 
of these offences is set out in Chapter XIV, and the legal principles applicable 
in this regard are based primarily of territoriality. 

Based on the traditional principles of territoriality a South Africa has so- 
vereign power to prosecute offences that happen in part or in full within her 
borders, or offences whose effects are felt in within South Africa. The appro- 
ach in ECTA remains the same. Under ECTA, [34] the South African court will 
be able to try an offence if committed within South Africa[35]; when the pre- 
paration of the offence happened in South Africa or part of the offence was af- 
fected in South Africa or where any result of the offence has had an effect in 
the South A frica[35]; when the offence was committed by a South African ci- 
tizen or a permanent resident of South Africa or a person carrying on business 
in South A frica[36]; and where the offence was committed on board of a ship 
or aircraft registered in South Africa or on board a flight to or from South Africa 
at the time the offence was committed.[37] By granting the courts criminal ju- 
risdiction when the cyber offence was committed by a South African citizen or 
a permanent resident of South Africa or a person carrying on business in South 
Africa, it is not unambiguously clear if the legislators intended ECTA to be a 
long arm statute, granting the courts extra-territorial jurisdiction. If this was 
the intention of the legislature then ECTA will have an enforcement problem 
in respect to “a person carrying on business in South Africa.” 


3.3 Recognition and Enforcement of Foreign Judgements 


3.3.1 Court Judgments 


ECTA is also silent on the recognition and enforcement of foreign judgments 
in e-commerce disputes. This lacuna is less worrisome since the South African 
private international law have always permitted the recognition or enforcement 
of judgments of foreign courts. In fact, in South Africa the recognition and en- 
forcement is fairly legislated. One of the main relevant legislation in this regard 
is the Foreign Civil Judgments Act (FCJA) 32 of 1988, which recognises judg- 


437 





ments obtained in foreign countries on a reciprocal basis. 

Note, however, that South African courts do not hesitate to refuse fore- 
ign judgments, in cases, for example, where the original court lacked any ju- 
risdiction to hear a dispute, or the judgement is seen as against public policy 
in South Africa. The Protection of Businesses Act (PBA) 99 of 1978, for exam- 
ple, subject the enforcement of foreign judgment to some stringent require- 
ments and leaves the enforcement of foreign judgments to the discretion of the 
Minister of Economic Affairs. In terms of this Act any foreign judgement for 
multiple or punitive damages in connection with the mining, production, im- 
portation, exportation, refinement, possession, use or sale of or ownership to 
any matter or material shall not be recognised or enforced in South Africa. 
[38]This approach will likely be employed with regard e-commerce cases by 
South African court, particularly since it is the globally adopted approach in- 
cluding in jurisdictions such as the European Union. [39] 


3.3.2 Arbitration Awards 


In cases of arbitral awards the South African courts are likely to follow the pre- 
vailing position in terms of which the recognition and enforcement of foreign 
arbitral awards by a court is mandatory in line with the New York Convention 
on the Recognition and Enforcement of Foreign Arbitral Awards of 1958 (New 
York Convention) to which South Africa is a party, and pursuant to the coun- 
try’s Recognition and Enforcement of Foreign Arbitral Awards (REFAA) 40 of 
1977. REFAA gives effect to South Africa’s obligations under the New York 
Convention. l 


4. Conclusion 


Compared to a number of legislation in the field of business in South Africa 
ECTA was designed to be a more favourable means to conduct e-business. 
ECTA to a certain extend does not leave up to South Africa’s vision of an elec- 
tronic transaction policy which takes due cognisance of international best prac- 
tices and conformity with the law and guidelines of comparative national 
jurisdictions and international bodies.[40] Admittedly there is not much that 
could have been done with respect to the recognition and enforcement of judg- 
ments. The current regime suffices for application to judgments related to e- 
contracts. Only issues including choice of law and party autonomy, and 
jurisdiction in e-commerce or e-transaction are not adequately addressed in 
ECTA. 

Sir George Jessel MR in the English case of Printing and Numerical Re- 
gistering Company v Sampson [1875] LR 19 EQ 462, 462 once said: 


438 








“If there is one thing which more than another public policy requires it 
is that men of full age and competent understanding shall have the 
utmost liberty of contracting, and that their contracts when entered into 
freely and voluntarily shall be held sacred and shall be enforced by Co- 
urts of Justice. Therefore you have this paramount public policy to con- 
sider - that you are not lightly to interfere with this freedom of contract”. 


In South Africa the law on parties’ choice of law is very concerning. The 
parties’ choice of law freedom has been radically displaced, and clothed in 
ubiquity. It would seem that ECTA requires only the mandatory application of 
the law of the consumer’s habitual place, South Africa, or something similar. 
The policy considerations behind restrictions on the choice of applicable law 
notwithstanding, it should be borne in mind that the parties’ freedom to con- 
tract is still integral to e-transactions. The South African law in this regard is 
not that of functional equivalence with paper-based transactions. ECTA also 
missed the opportunity to address some of the jurisdictional problems, in par- 
ticular the regulation of jurisdictional connecting factors in e-contracts. 


Notes 


[1] Section 1 ECTA use the term automated transaction — which means an “electronic trans- 
action conducted or performed, in whole or in part, by means of data messages in which the 
conduct or data messages of one or both parties are not reviewed by a natural person in the 
ordinary course of such natural person’s business or employment.” 

[2] See [page 2 “Green Paper on Electronic Commerce for South Africa”) 

[3] Other members are Angola; Botswana; Lesotho; Namibia; Mozambique; Swaziland; 
Tanzania; Zambia; Zimbabwe; Mauritius; Democratic Republic of the Congo; and Mada- 
gascar. 

[4] See General Assembly Resolution 51/162 of 16 December 1996: United Nations Com- 
mission on International Trade Law Model Law on E-Commerce (UNCITRAL Model Law) 
from http://www.uncitral.org/en-index.htm. Model Law aims at providing national legi- 
slatures with a “template of internationally acceptable rules” when enacting or revising 
their e-commerce laws. 

[5] ECTA s 3. 

[6] sec 2(1)(a) 

[7] Sec 2(1) (b) 

[8] Sec 21) G) 

[9] Sec 20) © 

[10] See Chapter XIII for offences including hacking; interception with data; interference 
with data; computer related fraud, and forgery. 

[11] von Hippol E “The Control of Exemption Clauses: A Comparative Study” (1967) 16 
ICLQ 591 at 592. 

[12]Sec Brisley v Drotsky 2002 (4) SA 1 (SCA) par 94; Mort NO v Henry Shields-Chiat 
2001 (1) SA 464 (C) at 475B;; Standard Bank of South Africa Ltd v Wilkinson 1993 (3) SA 
822 (C)at 826G, Sasfin (Pty) Ltd V Beukes 1989 (1) SA 1 (A) — utmost freedom of con- 
tract; Osry v Hirsh Loubser & Co Ltd 1922 CPD 531, at 546 — “modern jurisprudence in 
favour of liberty of contract.” 








439 








[13]Hopkins K writing on “Exemption clauses in contracts” in 2007 De Rebus (South Afri- 
ca’s Attorney Journal) 

[14] Transamerica Insurance Co. v. Bloomfield, 55 Or. App. 31, 637 P.2d 176, 180 (1981). 
[15] See, UNCITRAL Arbitration Rules, art. 33(1); ICC Rules, art. 13(3); EU Convention, 
art. VII (1); LCIA Rules (1998), art. 16(3); Swiss Public International Law Statute, art. 
187; and Dutch Code of Civil Procedure, art. 1054 etcetera. 

[16] UNCITRAL Arbitration Model Law, art.28 (3). See also, UNCITRAL Arbitration 
Rules, art.33(2); ICC Rules, art.17(3); French Code of Civil Procedure, Book Four (Arbi- 
tration Legislation of 1981), art.1497; Swiss Private International Law Act, art.187(2); Ger- 
man Code of Civil Procedure, Chapter 10 (Arbitration Legislation of 1998), art.1051(3); 
Indian Arbitration and Conciliation Act of 1996, art.17(3). 

[17] According to Lord Mustill in Channel Tunnel Group Ltd v. Balfour Beatty Construc- 
tions Ltd [1993] 1 ALL E.R 664 at 682, at least four potential levels of law involved in in- 
ternational arbitration can be identified. These are (a) the law applicable to the arbitration 
agreement — regulating the obligations of the parties to settle their disputes by arbitration; 
(b) the law applicable to the substance of the disputes — to determine obligations of the par- 
ties in relation to their substantive contracts; (c) the law applicable to arbitration proce- 
edings — to regulate the conduct of arbitration proceedings; and (d) the law applicable to 
terms of reference to govern the individual reference to arbitration. More freedom is often 
given to parties to choose the law applicable to substantive issues or the merits of the pro- 
ceeding, than to the conduct of proceedings (procedural rules). 

[18] S 43 

[19] S 44 

[20] S 45 

[21] S 46 

[22]Gereda SL “The Electronic Communications and Transactions Act” at 284 from 
http:/Aink,wits.ac.za/paper/telelaw12.pdf. 

[23] See Gillies LE “Choice of Law Rules for Electronic Consumer Contracts: Replacement 
of the Rome Convention by the Rome I Regulation” (2007) 3 Journal of Private Law at 97 
— 98. 

[24]EC Directive 97/7 on the Protections of Consumers in respect of Distance Selling Con- 
tracts (20 May 1997). Other relevant Directives include Directive 200/31/EC of the Euro- 
pean Parliament and of the council of 8 Jube 200 on Certain Legal Aspects of Information 
Society Services, in Particular Electronic Commerce, in the Internal Market (Directive on 
Electronic Commerce) in Official Journal of the European Communities L178/1 (17 July 
2000). 

[25]Gerada supra note 22, at 290. 

[26] Ibid at 278. 

[27] In fact, the Act is currently in interim used as a measure to protect personal data until 
specific data privacy legislation has been promulgated. 

[28] See ECOWAS/ECCR Report (2005) at 22. 

[29] See Gerada supra note 22, at 284fn58. 

[30] See for example: Baart v Malan 1990 (2) SA 862 (E) at ??; Ocean Dinners (Pty) Ltd 
v Golden Hill Construction CC 1993 (3) SA 331 (A) at ?? Morrison v Angelo Deep Gold 
Mines Ltd 1905 TS 775 at 785; Wells V South African Alumenite Co 1927 AD 69 at 73. 
However, the courts have also warned against diluting the sanctity of contract by frequent 
reference to public policy for public policy is a very unruly horse. See Sasfin (Pty) Limi- 
ted v Beukes 1989 (1) SA 1 (A) at 9B and Brummer v Gorfil Brothers Investments (Pty) Li- 
mited & Others 1999 (3) SA 389 (SCA) at 420F. See further Brisley v Drotsky 2002 (4) SA 


440 








1 (SCA) where the court held that even the Constitution or the value system it embodies em- 
powers a court to invalidate contracts "on the basis of judicially perceived notions of unjust- 
ness or to determine their enforceability on the basis of imprecise notions of good faith." 
[31] See Tang Z “Parties’ Choice of Law in E-commerce Contracts” (2007) 3 Journal of 
Private International Law at 122. 

[32] See Tang ibid at 129. 

[33] See generally, for example, section 28 of the South African Magistrates’ Courts Act 
32 of 1944. 

[34] S 90(a) 

[35] S 90(b) 

[36] S90(c) 

[37] S 90(d) 

[38] S 1(A). See also Jones v Krok 1996(1) SA 504 (T) where the plaintiff instituted an ac- 
tion for provisional sentence proceedings based upon a judgment in his favour by the Su- 
perior Court for the State of California for the County of Los Angeles, which consisted of 
compensatory damages in the sum of US $13 670 987 and punitive damages in the sum of 
US $12 000 000. . 

[39] See generally EU Regulation of 22 December 2000 (Brussels Regulations). 

[40] See ECTAs 10. 


RFERENCES 


1. ECOWAS/ECCR Report (2005) at 22. 
Gereda SL “The Electronic Communications and Transactions Act” at 264 ava- 
ilable at http://link.wits.ac.za/paper/telelaw12.pdf accessed on 10/07/2007. 

3. Gillies LE (20070 “Choice of Law Rules for Electronic Consumer Contracts: Re- 
placement of the Rome Convention by the Rome I Regulation” Journal of Pri- 
vate Law Volume 3, 89. 

4. Hopkins K (2007) “Exemption clauses in contracts” De Rebus (South Africa’s 
Attorney Journal) 

5. Tang Z (2007) “Parties’ Choice of Law in E-commerce Contracts” J ournal of Pri- 
vate International Law Volume 3, 113. 

5 von Hippol E (1967) “The Control of Exemption Clauses: A Comparative Study” 
International Comparative Law Quarterly Volume 16, 591. 


441 


The Internet Gambling Conundrum: 
Extraterritorial Impacts of Domestic Regulation 


Edward A. Morse 
Professor of Law 
McGrath North Mullin & Kratz Chair in Business Law 
Creighton University School of Law 
Omaha, Nebraska 68178 


morse@creighton.edu 


Abstract.The geographical transcendence of the Internet presents 
challenges for government regulation of activities such as Internet gam- 
bling, which are legally proscribed in some jurisdictions and allowed in 
others. The Unlawful Internet Gambling Enforcement Act (UIGEA) 
enacted in October 2006 provides one approach to regulating Internet 
gambling by focusing on financing, rather than the conduct of indivi- 
dual gamblers. Though this approach will generally protect the privacy 
rights of individuals and preserve free access to the Internet, it will im- 
pose costs on the business community. This article provides an analy- 
sis of the UIGEA and its effects on Internet gambling firms and firms 
that provide transactional services. Financial markets suggest this legi- 
slation has reduced Internet gambling in publicly traded firms, even be- 
fore enabling regulations have been enacted. However, this law may also 
have the effect of enhancing investment capital flows for online gam- 
bling firms, due to clarification of the legal status for firms who are not 
targeting U.S. residents in violation of UIGEA. The ultimate result may 
depend on whether other nations follow suit in targeting extraterritorial 
business with domestic gambling patrons. [Author’s Note: A prior ver- 
sion of this paper is being published in the COMPUTER LAW & SECURITY 
REPORT, Vol. 23, No. 6 (Elsevier, 2007). This article is published with 
permission from Elsevier, Ltd.] 


1. Introduction. 





Governments have longstanding concerns about the operation of gambling en- 
terprises. The possibility of funding criminal (and perhaps terrorist) enterpri- 
ses, expanding social costs from pathological or problem gambling, protecting 
minors, and other normative judgments have all contributed toward govern- 
ment-imposed limits on gambling in many jurisdictions. Some governments 
impose broad proscriptions against gambling, which are supported by criminal 
sanctions; others have trended toward regulation and taxation, thus harnessing 
consumer demand as a tool to raise revenues. Licensing gaming firms may 
ameliorate some risks associated with gambling businesses, such as excluding 


443 


criminal elements and ensuring fairness. Licensing and regulation also facili- 
tates government oversight for purposes of enforcing tax collections. 

Internet gambling threatens state-imposed restrictions on gambling, 
whether in the form of prohibition or licensing, by providing access to gam- 
bling from the privacy of one’s home. The geographical transcendence of the 
Internet presents an opportunity for gaming firms to connect with consumers, 
which might otherwise be denied access to this activity in the local geographic 
market. However, this opportunity presents a corresponding challenge for go- 
vernment, which must contend with the realities of jurisdictional limitations in 
exercising both legislative and enforcement powers. Such limitations may si- 
gnificantly constrain their policy choices in addressing this issue, to the extent 
they might choose something other than full legal recognition (or at least, tacit 
approval) of Internet gambling activities. 

Since the consumer is located within the jurisdiction of the proscribing 
state, one obvious approach would focus enforcement efforts on the individual 
gambler. However, such an approach raises a formidable challenge in an envi- 
ronment where free access to the Internet and personal privacy is valued. Mo- 
reover, the costs of enforcement might prove more significant than the social 
costs one is seeking to avoid, particularly if individuals are targeted and their 
numbers are large. 

Another approach would focus on gambling firms, but here the juris- 
dictional constraint is real. To the extent that foreign governments allow In- 
ternet gambling, the power of proscription is significantly constrained. 
Extraterritorial impacts of domestic rules are thus only felt to the extent that ju- 
risdiction can be obtained over the actors, such as when the actor is physically 
present or otherwise has assets or other significant contacts in the proscribing 
jurisdiction. 

A third approach is also available, which focuses more broadly on the 
structure of the gaming operation. Instead of targeting only the gambling firm, 
enforcement efforts might also seek to constrain other firms providing ancil- 
lary services, such as financing and advertising, which are essential to the In- 
ternet business model. 

These approaches are not mutually exclusive. As will be discussed 
below, legislation and law enforcement efforts in the United States have moved 
toward the third approach for addressing the Internet gambling phenomenon in 
the United States. This article discusses recent law enforcement efforts and 
legislation in the United States imposing constraints on Internet gambling prac- 
tices, with particular emphasis on the Unlawful Internet Gambling Enforce- 
ment Act of 2006 (UIGEA). Part 2 provides an overview of the Internet 
gambling business environment. Part 3 discusses the law enforcement envi- 
ronment in the U.S. prior to enactment of UIGEA. Part 4 outlines significant 


444 








provisions in UIGEA, and their impact on gambling firms and related busi- 
nesses. Part 5 provides a look forward at future policy considerations and de- 
velopments in this area. 


2. Overview of Internet Gambling. 


Internet gambling is a prime example of the adaptation of commercial activity 
to exploit the geographical transcendence of the Internet. Though the magni- 
tude of Internet gambling is difficult to gauge with certainty, Christiansen Ca- 
pital Advisors has estimated more than $15 billion in annual losses by Internet 
gamblers for 2006 — up sharply from just over $3 billion in 2001.[1] Licenses 
to operate legal Internet gambling operations are available in many jurisdic- 
tions, including the U.K., Canada, Costa Rica, Gibraltar, and Antigua, to name 
a few. [2] Papua New Guinea was added to the list in 2007, allowing Internet 
gambling licenses as well as land-based casinos for the first time. [3] 

Many jurisdictions that offer Internet gambling licenses also offer land- 
based gambling alternatives. However, in the U.S., Internet wagering is ge- 
nerally prohibited despite the fact that land-based gambling operations are 
allowed. More than thirty U.S. states have legal casino gambling operations, 
other states may prohibit casino games, but permit horse racing or other forms 
of gambling. [4] 


a. Are Internet Gambling Restrictions Protectionist? 

Free-trade proponents suggest that allowing patrons to engage in legal dome- 
stic gambling while denying those same patrons the right to participate in In- 
ternet gambling is an unfair protectionist practice. Preventing consumers from 
choosing remote gambling operations instead of local gambling may be moti- 
vated, at least in part, by the desire to protect significant tax collections for 
state and local governments. However, Internet-based proscriptions may also 
be affected by other government concerns, including risks to the public we- 
lfare from Internet gambling practices. 

In a celebrated case before the WTO, the island nation of Antigua and 
Barbuda claimed that U.S. laws preventing citizens from legally accessing In- 
ternet gambling sites located outside the U.S. constituted a violation of U.S. ob- 
ligations under the General Agreement on Services (GAS). An appellate 
decision later severely restricted the scope of this ruling, requiring the U.S. to 
engage in legislative changes, including changes to laws applicable to Internet 
wagering on horse racing, in order to conform with treaty obligations. [5] This 
dispute remains officially unresolved, with no movement by the U.S. toward 
complying with the WTO ruling by imposing further restrictions on the limi- 
ted usage of the Internet in legal gambling operations. 


445 


Protectionist criticisms are not limited to the United States, For exam- 
ple, France recently excluded an Internet poker site from sponsoring a rider in 
the Tour de France, while allowing a domestic gambling operation to sponsor 
a rider. [6] One commentator quipped that this approach is similar to saying that 
“beer is dangerous if you drink the other fellow’s brand, but not if you drink 
my brand.” [7] Other disputes have also arisen in the European Union, as go- 
vernments seek to wrestle with the parameters for appropriate regulation in 
these matters. [8] 

Internet gambling may indeed present a different set of risks than land- 
based operations. For example, U.S. gambling laws include significant con- 
straints on minors, who are typically not allowed to gamble legally until age 21. 
Age verification is problematic without a reliable and robust mechanism for 
identification. Credit card access alone is not a sufficient basis for age verifi- 
cation. [9] Compounding this difficulty, young adults who are under 21 may 
commonly have access to computers without parental oversight. Public he- 
alth concerns about college-aged minors engaged in gambling are significant; 
even college athletes are not immune to these temptations. [10] 

The social [4]dynamics of Internet gambling, which occurs in an isola- 
ted personal environment, also raises questions about risks of addictive or com- 
pulsive behavior. Consequences of this behavior may not be limited to the 
individual, but may also affect the society in which he or she lives. Thus, a co- 
untry that “exports” gambling services may also be exporting social costs that 
other governments may have to address without the benefit of the tax revenues 
traditionally generated by land-based gambling enterprises, 

This “export” potential is evident from the fact that many countries of- 
fering Internet gambling have relatively low percentages of Internet penetra- 
tion in their own markets, suggesting a tendency to rely on nonresidents. For 
example, Antigua has approximately 69,000 residents, of which only 20,000 
are estimated to be Internet users. Papua New Guinea, witha population of 5.8 
million, has only 170,000 Internet users, or only about three percent of the total 
population. [11] On the other hand, the United Kingdom has 60.7 million re- 
sidents, with 37.6 million (or more than 60 percent) being Internet users. [12] 
Canada has 33.4 million residents, and more than 21.9 million (more than 65 
percent) are Internet users. [13] Additional research in this area is likely to 
have a significant impact on policy directions affecting the liberalization of In- 
ternet gambling options, as governments must consider not only the revenues 
generated, but the costs involved. 


b. Internet Gambling in the U.S. 


Internet gambling is generally not allowed in the United States. However, there 
are limited exceptions, including wireless gambling devices that have been ap- 


446 








proved for operation on the grounds of casinos in Nevada. Though wireless ne- 
tworks are used, this is quite different from interjurisdictional Internet betting 
that is being targeted by government. Limited access to Internet gambling for 
purposes of off-track betting on horse racing may also be practiced in some 
areas without adverse treatment. [14] 

Despite the lack of domestic options for Internet gambling firms, data in- 
dicate that U.S. patrons have been important participants in this marketplace. 
Financial information from Internet gambling firms shows significant partici- 
pation by U.S. patrons. PartyGaming PLC, a Gibraltar-based online gaming 
company, has stated in financial disclosures to shareholders that U.S. patrons 
have “historically represented the majority of [its] revenues and profits.” [15] 

Actual figures suggest that “vast majority” may be more accurate. For the 
first nine months of 2006, the last period before the company decided to ter- 
minate customer relationships with U.S. patrons, the company had average 
daily revenues of $3.6 million, reflecting more than 43.5 million “active player 
days” (i.e., days on which a player made bets on the PartyGaming site) and re- 
venues per active player of $602.20. However, when U.S. patrons are exclu- 
ded, these figures drop considerably, with daily revenues of only $872,920 and 
only 10.8 million “active player days,” which are less than 25 percent of the to- 
tals reported above. U.S. patrons apparently wagered and lost more than their 
non-U.S. counterparts, who yielded average losses of only $447.20 per patron. 

PartyGaming Plc is recovering from its change in policy to reject U.S. 
patrons, and is reporting significant growth from non-U.S. markets. One might 
ask: What would cause a Gibraltar-based company, without apparent U.S. ties, 
to change its business practices to reject the patronage of three fourths of its 
best-paying customers? As discussed below, the answer can be found in U.S. 
legislation passed in late 2006 that has clarified the status of Internet betting, 
coupled with law-enforcement efforts signaling attempts to enforce those laws, 
even against nonresidents. 


3. U.S. Law Enforcement Efforts Prior to UIGEA. 


At the Federal level, the legal status of Internet gambling in the United States 
has at times left some room for uncertainty. The Unlawful Internet Gambling 
Enforcement Act (UIGEA) enacted in October 2006 resolved some of that un- 
certainty by clarifying the unlawful status of Internet betting that is not autho- 
rized by state law. 

Prior to UIGEA, attempted prosecutions for Internet gambling activi- 
ties were rare, and produced divergent results. In one celebrated case, United 
States v. Cohen, [16] an executive of an Internet sports betting operation in 


447 





Antigua was arrested when he returned to the United States, where he was 
charged with violation of the Wire Act, 18 U.S. C. § 1084(a), which states in 
relevant part: 

Whoever being engaged in the business of betting or wagering 
knowingly uses a wire communication facility for the transmission in interstate 
or foreign commerce of bets or wagers or information assisting in the placing 
of bets or wagers on any sporting event or contest, or for the transmission of a 
wire communication which entitles the recipient to receive money or credit as 
a result of bets or wagers, or for information assisting in the placing of bets or 
wagers, shall be fined under this title or imprisoned not more than two years, 
or both. 

Cohen’s business activities were held to fall within the scope of the Wire 
Act, as they involved the use of wire communications for placing bets in vio- 
lation of the act. The fact that Cohen was not directly involved in accepting 
bets was not a defense, as he was also guilty of “aiding and abetting” the com- 
mission of a crime by others. As the court explained: 

Cohen was a moving force behind WSE's entire operation, which 
continued to function after his arrest. Cohen retained his position as President 
of WSE while on bail after his arrest. Although Cohen purportedly did not 
“deal with daily operations” at WSE after his arrest, he also made no effort to 
curtail those operations. In fact, he benefited from them by receiving a salary, 
his travel expenses, and his legal fees from WSE. He clearly was still in a 
position to cause others, willfully, to commit acts that would have been crimes 
had he himself committed them. He could, therefore, have been found liable 
for aiding and abetting WSE's ongoing violation of § 1084. [17] 

To the consternation of the Internet gambling community, Cohen’s co- 
nviction and sentence to a prison term were both sustained on appeal. 

As a technical matter, others in Cohen’s firm may also be in violation 
of the Wire Act, to the extent that the firm obtained wagers from patrons resi- 
dent in the United States and transmitted bets online or transmitted bets via te- 
lecommunications facilities. Suppliers and perhaps even government officials, 
to the extent not protected by Sovereign Immunity, might also be in violation. 
[18] However, in order to prosecute, the U.S. would have to obtain jurisdic- 
tion over the person. In Cohen’s case, he was a U.S. citizen who surrendered 
himself to U.S. authorities in order to resolve this question. 

Other courts interpreting the Wire Act have suggested constraints on 
finding violations to the Act, including “aiding and abetting” violations like 
those found in Cohen. The Wire Act refers to “bets or wagers on sporting 
events or contests.” Other federal legislation, the Professional and Amateur 
Sports Protection Act, specifically targets betting on sports, subject to certain 


448 








local exceptions. [19] Though Cohen’s firm was squarely within these pro- 
scriptions, online casino operations involving casino games instead of sports 
betting may arguably be outside the scope of the statute. The Fifth Circuit 
Court of Appeals has so held in a case involving an attempt to prosecute Ma- 
sterCard International for violation of the Wire Act and other criminal statutes, 
including RICO, for transmitting payments for online gambling. [20] (At least 
one state court in New York has disagreed, finding that Internet gambling is wi- 
thin the scope of the purpose of the statute. [21]) 

In light of these cases, some uncertainty existed as to the Federal basis 
for prosecution of Internet gambling activities. Though the laws of individual 
states may present an opportunity for prosecution, a federal legal framework 
would be critical for the formation of a consistent, national policy about these 
matters. Congress had considered the matter of Internet gambling for several 
years, but federal legislation was not enacted until late in 2006. 


4. The Unlawful Internet Gambling Enforcement Act of 2006. 


The Unlawful Internet Gambling Enforcement Act (UIGEA) was signed by 
President Bush on October 13, 2006. [22] Though Congress had attempted to 
legislate regarding Internet gambling for nearly a decade, none of its prior ef- 
forts had made it into law. A prior version of the UIGEA, H.R. 4411, had pas- 
sed the House of Representatives by an overwhelming majority in July 2006. 
However, this bill languished in the Senate, suggesting that it might otherwise 
have died a quiet death, much like its predecessors. [23] 

New life was breathed into this legislation in late September 2006, when 
the Conference Committee inserted this legislation into a major port security 
bill that Congress wanted to enact prior to a recess before the November 2006 
elections. [24] Thus, the UIGEA was enacted as Title VIII of the SAFE Port 
Act. [25] 

This indirect means of securing passage for the UIGEA has been criti- 
cized by opponents of restrictions on Internet gambling, some of whom have 
introduced rival legislation to regulate, rather than prohibit, Internet gambling. 
Representative Ron Paul of Texas introduced one such bill, stating in part: 

Last year, a ban on internet gambling was snuck into a port security bill. 
This ban on internet gambling is an outrageous affront to individual freedom. 
H.R. 2046 [styled as the ‘Internet Gambling Regulation and Enforcement Act’] 
restores respect for the right to patronize internet gambling sites as long as the 
sites follow certain Federal laws. [26] 

This bill has not been enacted, and it is unlikely to muster the support ne- 
cessary to change the status quo at anytime in the near future. 

The UIGEA does not amend the Wire Act or otherwise clarify the con- 


449 


tours of illegal gambling behaviors for individual patrons. Patrons continue to 
be subject to state laws in the jurisdiction where their conduct occurs, and thus 
they are not affected directly by this legislation. Instead, the UIGEA focuses 
on financing activities that are necessary for Internet gambling businesses to 
flourish. As discussed below, restrictions under the UIGEA may have signifi- 
cant extraterritorial effects, including effects on firms not directly involved in 
Internet gambling. 


a. Criminal Liability. The heart of the UIGEA is found at 31 U.S.C. § 5363, 
which states in part that “[n]o person engaged in the business of betting or wa- 
gering may knowingly accept [various types of payments], in connection with 
the participation of another person in unlawful Internet gambling.” Violation 
of this provision subjects the actor to criminal penalties, including fines or im- 
prisonment of not more than five years, or both. [27] 

Enforcement of this act, however, will require jurisdiction over the per- 
son of those involved in this kind of activity. As evidenced in the Cohen case, 
offshore actors could potentially avoid prosecution by avoiding the jurisdic- 
tional reach of U.S. courts. However, efforts by the Justice Department and 
state attorneys general to prosecute those who enter the United States have 
drawn attention to the potential risks associated with violating U.S. laws. The 
possibility of extradition pursuant to treaties with other nations may also extend 
the jurisdictional reach. 

For example, a director of online betting firm Sportingbet was arre- 
sted by authorities while flying into New York. This arrest prompted Spor- 
tingbet to pay $400,000 to the state of Louisiana to drop charges of illegally 
directing online gambling toward the state. Sportingbet also agreed to close its 
U.S. online gambling operations. [28] 

The CEO of online gaming site Betonsports, was arrested in Dallas in 
July 2006. As a part of BetonSports's agreement with the United States Attor- 
ney's Office for the Southern District of New York, Betonsports not only ac- 
cepted crippling effects to its business by shutting down its U.S. facing 
operations, but also agreed to return funds accepted from U.S. customers by the 
end of June 2007. [29] 





b. Who is in the Business of Betting or Wagering?. The Act provides that the 
“business of betting or wagering” is defined to exclude the activities of a “fi- 
nancial transaction provider, [an] interactive computer service or telecommu- 
nications service.” On its surface, this definition may provide some security 
for firms without direct gambling ties that may provide services that unkno- 
wingly assist another firm that is in the gambling business. Such firms may be 


450 








immune from criminal liability under the Act. However, other statutes may 
provide reason for concern. 

For example, 18 U.S.C. § 2 provides a basis for criminal liability for 
those who aid or abet the commission of a crime. Although unknowing parti- 
cipation in payment or communications activities involving a person engaged 
in unlawful internet gambling is not a sufficient basis for aiding and abetting 
liability, [30]the potential for criminal liability should be considered in this 
context. [31] Others involved in knowingly transmitting funds have faced char- 
ges under other federal laws, including violation of federal money laundering 
and racketeering laws, despite the fact that the gambling firm was located out- 
side the United States. [32] Thus, the clarification of the illegal behavior of the 
gambling firm accomplished in section 5363 has broader implications, which 
can affect other non-gambling businesses. 

Proscribed payments, known as “restrictive transactions,” include credit 
or the proceeds of credit (including credit card payments); electronic fund 
transfers, including money transmitting services; and checks, drafts, or simi- 
lar instruments. [33] In addition to specific financial instruments and payment 
methods, the Act also broadly proscribes the receipt of “the proceeds of any 
other form of financial transaction” as regulated by the Federal Reserve Sys- 
tem. 

Section 5364 requires the Federal Reserve to promulgate regulations 
that will require the development of systems to identify and block restricted 
transactions. Those proposed regulations were due on July 10, 2007. [34] Ho- 
wever, they were not issued until October 1, 2007. [35] The regulations and 
accompanying commentary take up more than fifty pages, and a detailed ana- 
lysis is beyond the scope of this article. However, some important features 
merit attention. 

First, the proposed regulations do not contain specific requirements for 
policies and procedures that must be followed in various payment systems, but 
instead take a more general approach toward allowing the financial services 
community to develop practices that make sense in these areas. For example, 
the proposed regulations for credit card and online payment systems follow 
the approach reflected in existing practices, including the coding of transactions 
and the merchants that accept such payments. Most firms already prohibit the 
use of their payment systems for online gambling transactions and have adop- 
ted coding systems that flag unlawful transactions. [36] A “safe harbor” set of 
guidelines is provided, which allows greater security for the regulated entities 
with regard to compliance, but otherwise the approach is remarkably nonspe- 
cific. 

Second, the regulations attempt to be sensitive to the inevitable cost-be- 


451 


nefit tradeoffs that come from regulation in this area. For example, they con- 
tain extensive exemptions for payments systems such as Automatic Clearin- 
ghouse (ACH), checks, or wire transfers. These exemptions, which generally 
extend to those without a direct customer relationship with a gambling busi- 
ness, are based on the fact that it is “not reasonably practical for the exempted 
participants in ACH systems, check collection systems, and wire transfer sys- 
tems ... to identify and block, or otherwise prevent or prohibit, restricted trans- 
actions under the Act.” [37] Thus, unlike the credit card or electronic payment 
services, which had previously developed a coding system, the Act is not re- 
quiring an additional system to be developed here. In part, this reflects the 
open nature of transactions under wire transfers, checks, and ACH systems, 
which do not require particular membership and approval, unlike the more se- 
lective counterparts in credit card systems. [38] 

Institutions with gaming firms as customers are not within the scope of 
the exemption. Such institutions are deemed to have the ability, with reaso- 
nable due diligence, to know the nature of the customer’s business. For others 
more remote from the transaction, the imposition of duties of inquiry might 
threaten the efficiency of the system. [39] Significantly, the proposed regula- 
tions reject an approach that might require information disclosure by consu- 
mers to deter unlawful gambling transactions. Even though deterrence of 
unlawful gambling transactions may result from required disclosure, the regu- 
lations take the position that such disclosures are fraught with inaccuracy, whe- 
ther intentionally or unintentionally (i.e., because the consumer does not know 
the activity is illegal). Moreover, a disclosure-based approach would impose 
additional costs and burdens which would adversely affect the entire financial 
system. [40] 

Thus, it is quite clear that consumers in the U.S. and the financial insti- 
tutions that deal with them are not the principal target of these regulations. 
Such consumers may be targeted by other monitoring systems, such as due di- 
ligence systems that might otherwise be used to detect suspicious patterns for 
other purposes, including fraud protection, and wrongdoing may be discove- 
red in that way. [41] Other monitoring activity, such as a requirement that fi- 
nancial institutions monitor their trademark usage on gambling websites or 
similar indicators that their systems are being used to circumvent the law, may 
also support enforcement efforts. [42] However, the principal focus is on the 
business community and relationships with gambling businesses. 

Financial intermediaries, sometimes known as “e-wallets,” have been 
involved in making fund transfers, and are thus directly affected by the Act. 
One example is the Gibraltar-based firm NETeller, which had previously been 
advertised to U.S. residents as an alternative means to transmitting payment to 


452 








online casinos when such residents were otherwise having difficulty using cre- 
dit cards to transfer funds. One online casino even cavalierly advised its pa- 
trons that NETeller could be reached through any Bank of America or Citibank 
branch. [43] 

Subsequent to the enactment of UIGEA, the founders of NETeller were 
arrested during a visit to the United States and charged with money launde- 
ring based on the knowing use of these services to help U.S. customers access 
illegal gambling sites. A domestic firm, ECHO, which assisted in these trans- 
actions, was not prosecuted, but was required to disgorge profits and freeze 
assets associated with this firm. [44] 

Following the arrest of their founders, NETeller announced that it was 
ceasing operations in the U.S. NETeller assets in the U.S., including accounts 
totaling up to $60 million for U.S. customers, were frozen, and as of June 4, 
2007, had still not been redistributed to their U.S. customers. [45] Up to 65 
percent of NETeller’s business came from U.S. sources, causing a serious fi- 
nancial impact on this firm. NETeller later announced that it would no longer 
process transactions from Turkish residents, in light of restrictions on Internet 
gambling enacted there. [46] 

These events illustrate that law enforcement efforts through criminal 
sanctions also provide an important complement to the regulatory approach in 
the proposed regulations. The regulations consciously allow some leakage in 
the system in that some unlawful transactions may indeed be approved, but 
also limits the associated costs of enforcement. According to the preamble to 
the proposed regulations, these rules will impose a total cost of only $4 million 
annually on regulated entities. [47] That cost seems small in relation to the si- 
gnificant level of gambling from U.S. patrons that might otherwise be deter- 
red. 

Penalties imposed by the Federal Reserve or related institutions provi- 
ding regulatory oversight of financial institutions, [48] or in some cases the 
Federal Trade Commission, will await those firms that fail to comply with the 
proposed new rules. [49] However, the effective date of the regulations is li- 
kely to be delayed for several months, as the proposed regulations suggest a Six 
month delay after they become final. The proposed regulations do not speak 
directly to these penalty issues. 

As a further incentive for compliance, the Act protects firms from civil 
liability for blocking transactions that are reasonably believed to be restricted 
transactions, or which are blocked by a system designed to meet these regula- 
tory requirements. [50] Such protections are similar to those provided to those 
seeking to provide content restrictions on the Internet to aid in the enforcement 
of other laws. [51] ` 


453 





Civil enforcement efforts may also be undertaken by United States At- 
torneys or state Attorneys General, who may enjoin restricted transactions and 
seek other appropriate relief. The Act grants “original and exclusive” juris- 
diction to the federal district courts for this purpose. [52] The Act thus provi- 
des state law enforcement officials with a new legal tool for enforcement, but 
requires that this tool be used in Federal court. Of course, this provision will 
require domestic jurisdiction over the actor. For example, it might enable in- 
junctive relief against advertising for an internet gambling firm that is located 
in the U.S. 

Injunctive powers under the Act are strictly limited in the case of an “in- 
teractive computer service,” a term which is borrowed from section 230 of the 
Communications Act. [53] Assuming that the “interactive computer service” 
is not also engaged in providing unlawful gambling services, relief is gene- 
rally limited to disabling access or deleting hypertext links to sites that violate 
the section. [54] An “interactive computer service” is not obligated to moni- 
tor its services or affirmatively seek out facts indicating a nonconforming ac- 
tivity. [55] 

However, these protective limitations are withdrawn if the “interactive 
computer service has actual knowledge and control of bets and wagers” and is 
involved in the operations of a website where unlawful wagering may occur. 
[56] Involvement in ownership or control, or being owned or controlled, by an 
entity engaged in unlawful betting also subjects the interactive computer se- 
rvice to liability. [57] 


c. What is “Unlawful Internet Gambling”? The definition of “unlawful inter- 
net gambling” is also an essential element of this Act. The Act provides in 
part: 

“The term "unlawful Internet gambling" means to place, receive, or 
otherwise knowingly transmit a bet or wager by any means which involves the 
use, at least in part, of the Internet where such bet or wager is unlawful under 
any applicable Federal or State law in the State or Tribal lands in which the bet 
or wager is initiated, received, or otherwise made.” [58] 

The Act thus defines the legality of an Internet gambling transaction by 
reference to either the place where the gambler initiates a wager or the place 
where the gambling firm receives the wager. For this purpose, the interme- 
diate routing of an Internet packet is not relevant in assessing the legality of the 
transaction. [59] 

This approach defers to the laws of the state (or in the case of Tribal 
lands, to their applicable tribal laws), rather than imposing new federal re- 
strictions on gambling. A rule of construction makes this clear: “No provision 


454 








of this subchapter shall be construed as altering, limiting, or extending any Fe- 
deral or State law or Tribal-State compact prohibiting, permitting, or regulating 
gambling within the United States.” [60] The Proposed regulations are also de- 
ferential as to matters of whether a transaction violates applicable, state, fede- 
ral, or tribal gambling laws, as these matters were beyond the scope of the 
legislation. 

Purely domestic intrastate transactions, or in the case of Indian lands, 
intratribal transactions, are specifically defined to be outside the scope of 
unlawful Internet gambling. [61] Thus, the Act appears to preserve the possi- 
bility that Internet gambling may become legalized domestically, and that such 
activities would not invoke restrictions on financial transactions otherwise im- 
posed by the Act. Moreover, the Act also excludes any bets placed on interstate 
horseracing, which may be allowed under the Interstate Horseracing Act of 
1978. [62] Both of these provisions appear to flout the WTO ruling involving 
the trade dispute between Antigua and the United States, which as discussed 
above required remedial action to address the availability of Internet gambling 
in these limited contexts to the exclusion of international competitors. 

The term “bet or wager” is also specifically defined. The primary defi- 

nition involves “the staking or risking by any person of something of value 
upon the outcome of a contest of others, a sporting event, or a game subject to 
chance, upon an agreement or understanding that the person or another person 
will receive something of value in the event of a certain outcome.” [63] Lot- 
teries and sports betting are specifically covered, [64]and their inclusion seems 
well within the accepted meaning of betting or wagering. 
d. Other Non-gambling Activities (Including Contests and Fantasy 
Sports).Specific exclusions from the definition of betting or wagering are also 
available for activities that may border closely on gambling, but are neverthe- 
less treated differently. These include securities and commodities transactions, 
contracts of guaranty or indemnity, and insurance. [65] Although some might 
consider a speculative position in a future contract or option to be “gambling,” 
the Act clearly distinguishes them and exempts them from any threat from this 
legislation. 

The Act also addresses other technology-based activities that do not in- 
volve wagering or betting per se, which include competitions or contests and 
so-called “fantasy sports” leagues. The skills-based competitions require that 
participants do not “stake or risk anything of value” other than one’s personal 
efforts and sponsor-provided points or credits (which are provided free of 
charge). [66] The “fantasy sports” games are allowed only to the extent that the 
teams involved are not based on current amateur or professional sports teams. 
Moreover, any prizes must be based on statistical outcomes accumulated from 








455 





the season, and they must not depend on the number of participants or amount 
of fees they paid. Payouts based on results from “real-world” teams or events, 
including any single performance of an individual athlete in a particular event, 
are also prohibited. [67] Given the popularity of fantasy sports leagues, these 
provisions will allow interjurisdictional competition without fear of conflict 
with legal obligations from the UIGEA. 

The scope of a skills-based exception is currently subject to proposed le- 
gislation, which takes into account the popularity of poker as a competitive ac- 
tivity. H.R. 2610, styled the “Skill Game Protection Act,” was introduced in 
the House of Representatives on June 7, 2007, to amend the applicable provi- 
sions of the UIGEA and Wire Act to allow U.S. residents to participate in In- 
ternet poker. , 

The future prospects for such legislation are doubtful. The legislation re- 
cognizes the potential problems of legalizing this form of activity, expressly 
stating that the “Federal government should take appropriate steps” to address 
concerns about preventing participation by minors, compulsive gamblers, cri- 
minal activity and money laundering, as well as to ensure that “appropriate 
taxes are collected.” The failure to provide any means to accomplish these si- 
gnificant policy goals is likely to prevent any progress in enacting this bill. 


5. Concluding Observations. 


Lawrence Lessig has argued that the Internet would not necessarily facilitate 
desires for human liberty; instead, the emerging architecture of cyberspace 
would ultimately depend on the purposes the Internet would ultimately fulfill. 
[68]Commerce has flourished on the Internet, and thus has contributed signi- 
ficantly to the legal environment. Rather than being free of geographical bor- 
ders, borders are being reintroduced into the Internet by the legal structures 
imposed around it. 

The culture of freedom has prevailed in one sense, to the extent that cur- 
rent U.S. policies have not targeted the behavior of individual gamblers. Law 
nevertheless has a role in driving technological development and responses by 
private actors, who may ultimately serve government interests. When the exe- 
cutives of business firms may be exposed to arrest and detention when visiting 
the United States, they have an incentive to create safeguards to avoid viola- 
ting these laws. For example, geolocation technology may ultimately be used 
for the purpose of providing a more robust means of excluding U.S. patrons as 
a means of avoiding legal entanglements. [69] 

Publicly-traded gambling firms like PartyGaming as well as financial 
intermediaries like NETeller have chosen to comply with U.S. laws, signaling 


456 








an early success from UIGEA. Moreover, this has occurred before any dome- 
stic regulations have been implemented to guide financial services firms in de- 
veloping suitable payment system controls. However, the temptation to tap 
into significant U.S. markets will nevertheless persist. 

Without an enforcement priority toward individuals engaged in gam- 
bling activities, U.S. patrons may nevertheless seek other alternatives in less re- 
gulated markets. This could have the counterproductive result of increasing 
opportunities for financing criminal or terrorist enterprises, risks which might 
have been largely avoided with publicly-traded and regulated firms. The fact 
that consumer transactions are not targeted also translates into reduced effi- 
cacy for one of the motivations behind the litigation, addressing problems of 
consumer debt arising from Internet gambling. The persistence of consumer 
demand will continue to present threats that are difficult to gauge without fur- 
ther research, and those may require increasing vigilance in monitoring finan- 
cial transactions and flows. 

In the interim, another implication for investors should be considered. 
Internet gambling firms that previously targeted U.S. patrons created a signi- 
ficant legal risk for U.S. investors, who faced the risk of domestic prosecution, 
much like that illustrated in the Cohen case. To the extent that Internet gam- 
bling firms are able to target other markets, and these other markets allow legal 
patronage and transfers, we may see growth in the availability of U.S. invest- 
ment capital deployed in this area. U.S.-based search engine Yahoo! has anno- 
unced that it would launch “Yahoo Poker’ on the International Poker Network, 
which will focus on the European market. [70] Thus, despite the restrictions 
of patron capital through wagering, investor capital may nevertheless be mo- 
ving. Ironically, this may mean greater marketing efforts and higher gambling 
patronage from those countries that do not impose restrictions affecting do- 
mestic markets. 


Notes 


[1] www.CCA-i.com (visited May 31, 2007). 

[2] David O. Stewart, An Analysis of Internet Gambling and its Policy Implications (Ame- 
rican Gaming Association 2006), available at www.americangaming.org (visited May 29, 
2007). 

[3] Burke Hansen, Papua New Guinea reaches for the online gambling ring, May 7, 2007, 
available at http://www. theregister.co.uk/2007/05/07/papua_guinea_gambling/ (visited June 
27, 2007). 

[4] Edward A. Morse & Ernest P. Goss, GOVERNING FORTUNE: CASINO GAMBLING IN AME- 
RICA 13-31 (University of Michigan Press 2007). 

[5]See generally id. at 204-211; Maria Veronica Perez Asinari, Internet gambling and bet- 
ting services: When the GAS’ rules are not applied due to the public morals/public order 


457 





exception. What lessons can be learnt? 22 Computer Law & Security Report 299 (2006). 


[6] See EU backs Univet over Tour de France ban, International Herald-Tribune, April 30, 
2007, available at www.iht.com/articles/ap/2007/04/30/sports/EU-SPT-CY C-EU- 
Unibet.php (visited June 1, 2007). 


[7] See Tour de France team hit by gambling controversy, available at 
www.whatcasino.com/news/ (May 9, 2007)(visited 5/31/2007). 


[8] See, e.g., Ewout Keuleers, From Gambelli to Placanica to a European framework for re- 
mote gaming, 21 Computer Law & Security Report 427 (2005); Alexander Menais & Marie 
Marcoux, Virtual Casinos at the Frontiers of the Law, 18 Computer Law & Security Report 
427 (2002). 


[9] On this point, see the comments of Aristotle, International, on the need for age verifi- 
cation submitted to the U.K. Gambling Commission, which includes numerous statements 
from credit card firms, including Visa, Discover, and MasterCard, on the limitations of the 
use of credit cards on age verification. See http://www.gamblingcommission.gov.uk/Up- 
loadDocs/Misc/lccp_respondents/AristotleInternational.pdf (visited 6/26/07). 


[10] See, e.g., 2003 NCAA National Study on Collegiate Sports Wagering and Related Be- 
haviors, available at http://www.ncaa.org/library/research/sports_wagering/2003/2003__ 
sports_wagering_study.pdf (visited June 27, 2007). 

[11] CIA World Fact Book (2007), available at https://www.cia. gov/library/publica- 
tions/the-world-factbook/index.html (visited May 31, 2007). 

[12] Zd. 

[13] Zd. . 

[14] See generally David O. Stewart, An Analysis of Internet Gambling and its Policy Im- 
plications (American Gaming Association 2006), available at www.americangaming.org 
(visited May 29, 2007). 

[15]PartyGaming Plc, Press Release, October 20, 2006, available at 
www.partygaming.com/ (visited June 27, 2007). 


[16] 260 F.3d 68 (2d Cir. 2001), cert. denied, 536 U.S. 922 (2002). 
[17] Id. at 77-78. 


[18] The Government of Antigua asserted as much in an amicus curiae brief to the United 
States Supreme Court in connection with the Cohen case. 


[19] See 28 U.S.C. §§ 3701-3704; see generally Morse & Goss, supra note 4, at 153-57. 
[20] See In re MasterCard Int’l, 313 F.3d 257 (5th Cir. 2002). 
[21] See People v. World Interactive Gaming Corp., 714 N.Y.S. 2d 844 (1999). 


[22] Pub.L. 109-347, Title VIII, Oct. 13, 2006, 120 Stat. 1952, codified at 31 U.S.C. §§ 
5361-67. 


[23] See www.thomas.gov (H.R. 4411) (visited June 18, 2007). 
[24] See www.thomas.gov (H.R. 4951) (visited June 18, 2007). 


[25] Security and Accountability for Every Port Act, Pub. L. 109-347, October 13, 2006, 
120 Stat. 1884. 


[26]' See www.thomas.gov (H.R. 2046) (May 2, 2007 remarks). 
[27]31 U.S.C. § 5366. 


[28]Dominic Walsh, Sportingbet pays $400,000 to call it quits, Times, March 22, 2007, 
available at 2007 WLNR 5406368. : 


[29] See id.; Andrew Ross Sorkin & Stephanie Saul, Gambling Subpoenas on Wall St., New 


458 








York Times, Jan. 22, 2007, available at 2007 WLNR 1221412. 


[30]See, e.g., United States v. Newman, 490 F.2d 139 (3d Cir. 1974); United States v. 
Moody, 462 F.2d 1307 (8th Cir. 1972). 


[31]Aiding and abetting liability has been used as a tool by the Justice Department to en- 
courage U.S. firms not to participate in advertising for Internet casinos. See generally 
Morse & Goss, supra note 4, at 197-98. 


[32] See, e.g., United States v. Lombardo, et al., (Indictment filed 5/9/2007), United States 
District Court, District of Utah, Central Division, Case No. 2:07CR00286 PGC (on file 
with author). 


[33] 31 U.S.C. § 5362(7). 


[34]See Federal Reserve Board of Governors, 93d Annual Report 147 (2006) (available at 
http://www. federalreserve.gov/boarddocs/rptcongress/annual06/pdf/ar06.pdf) (visited June 
18, 2007). 


[35]See Regulation GG: Docket No. R-1298, RIN 1404-AB78, Prohibition on Funding of 
Unlawful Internet Gambling, available online at 


[36] See Edward A. Morse, Extraterritorial Internet Gambling: Legal Challenges and Po- 
licy Options, 1 Int’! Journal of Intercultural Information Management 33 (2007). 


[37]Preamble to Proposed Regulation GG at 13-14 (October 1, 2007). 
[38]See id. 

[39] See id. at 14. 

[40] See id. at 15 (ACH), 16 (checks) 17-18 (wire transfers). 

[41]See id. at 21-22. 

[42]See id. 


[43] See Edward A. Morse, Extraterritorial Internet Gambling: Legal Challenges and Po- 
licy Options, 1 Int’] Journal of Intercultural Information Management 33 (2007) (discus- 
sing conditions in early 2006, prior to enactment of UIGEA). Presumably, such brazen 
advertising would invoke a duty to monitor by the bank, and to put a stop to these kinds of 
transfers under the proposed regulations. 


[44]See Nonprosecution Agreement Announced with Clearing House in Gambling Case, 12 
BNA Electronic Commerce & Law Report, p. 306 (April 4, 2007). 


[45] See Press Release, June 4, 2007, at www.neteller-group.com/press/en/130.htm (visi- 
ted 6/22/07). 


[46] See Press Release, April 11, 2007, available at http://www.partygaming.com/im- 
ages/docs/071104_Turkey_Closure.pdf (visited June 27, 2007). 


[47]See id. at 29. 


[48]These include the Office of Comptroller of the Currency, Federal Deposit Insurance 
Corporation, National Credit Union Administration, and Office of Thrift Supervisions. See 
House Judiciary Committee Report, Unlawful Internet Gambling Enforcement Act of 
2006(H.R.4411), House Rep 109-412 (part 2) at 12 (May 26, 2006). 


[49] See 31 U.S.C. § 5364(e). 
[50]See 31 U.S.C. § 5364(d). 
[51] See 47 U.S.C. § 230. 
[52] See 31 U.S.C. § 5365. 


[53] 31 U.S.C. § 5362(6). An “interactive computer service” is defined as “any informa- 
tion service, system, or access software provider that provides or enables computer access 


459 


by multiple users to a computer server, including a service or system that provides access 
to the Internet and such systems operated or services offered by libraries or educational in- 
stitutions.” 47 U.S.C. § 230(f). 


[54] 31 U.S.C. § 5365(c). 

[55] Ja. 

[56] See id. 

[57]See generally 31 U.S.C. 5365(c)(2). 

[58] 31 U.S.C. § 5362(10). 

[59] 31 U.S.C. § 5362(10)(B). 

[60] 31 U.S.C. § 5361(b). 

[61] 31 U.S.C. § 5362(10)(B) (intrastate), (C) (intratribal). 
[62] 31 U.S.C. § 5362(10)(D). 

[63] 31 U.S.C. § 5362(1)(A). 


[64] 31 U.S.C. § 5362(1)(B)(lotteries),(C)(sports betting proscribed by the Professional and 
Amateur Sports Protection Act). 


[65] See 31 U.S.C. § 5362(E). 

[66] See id. 

[67] See id. 

[68] See Lawrence Lessig, CODE AND OTHER LAWS OF CYBERSPACE 30 (1999). 


[69] See, e.g., Geolocation: Don’t Fence Web In, Wired, July 12, 2004, available at 
www. wired.com/print/techbiz/it/news/2004/07/64178 (visited May 29, 2007). 


[70] See Yahoo! breaks into the online poker industry, Online Casino News, April 30, 2007, 
available at www.responsiblegambling.org/. 


460 








The Workplace of the Future — Liability Issues and Risk 
Management 


Nigel Wilson 
Barrister 
Bar Chambers 
34 Carrington Street 
Adelaide South Australia 5000 
Australia 
nigel. wilson@barchambers.com.au 





Abstract: The nature and impact of Information and Communi- 
cation Technologies (ICTs) involve major challenges for the manage- 
ment of liability issues in the workplace of the future. Risk management 
of these liability issues also needs to take account of other emerging 
trends in the workplace. The benefit of general regulatory regimes has 
been that they can be readily applied to novel situations to protect con- 
sumers and the community. When the public interest has required it, 
specific legislation has the capacity directly to address unsuitable busi- 
ness practices involving the use of ICTs and to provide appropriate con- 
sumer protection. Consistent with international objectives, a central 
element of the regulation of the future workplace environment will be 
the protection of individual human rights, particularly the right to pri- 
vacy. The application of human rights concepts at a domestic level ra- 
ises particular challenges in relation to the regulation of ICTs. Effective 
risk management in the future will require a consideration of data pro- 
tection and document retention issues and the implementation of suita- 
ble training, compliance programs and protocols. 


1. The Workplace of the Future 


In order to identify the liability issues which may arise in the workplace of the 
future it is important to seek to understand the current legal framework and 
workplace environment, both internationally and locally. 

A vast amount of work has been done and time and resources have been 
invested by international agencies and national governments in examining the 
likely impact of Information and Communication Technologies (ICTs) on the 
workplace of the future and the human condition.[1] 

Akey feature of the stated international position regarding the regulation 
of ICTs is the need for the protection of human rights. 


461 





2. The International Position 
Article 12 of the Universal Declaration of Human Rights (1948) provides that: 


“No-one shall be subjected to arbitrary interference with his/her privacy, 
family, home or correspondence, nor to attacks upon his/her honour or 
reputation. Everyone has the right to protection of the law against such 
interference or attacks.” 


In 1997 then United States President Bill Clinton stated a framework 
for global economic commerce and identified five core principles: 


e the private sector should lead; 

e governments should avoid undue restrictions on electronic com- 
merce; 

e where government involvement is needed, its aim should be to sup- 
port and enforce a predictable, minimalist, consistent and simple 
legal environment for commerce; 
governments should recognize the unique qualities of the internet; 
electronic commerce over the internet should be facilitated on a glo- 
bal basis.[2] 


More recently, the United Nations General Assembly resolved in the 
Millennium Declaration in 2000: 


“To ensure that the benefits of new technology, in conformity with the re- 
commendations contained in the Economic and Social Council (ECO- 
SOC) 2000 Ministerial Declaration, are available to all.” 


The ECOSOC 2000 Ministerial Declaration stated that ICTs: 


are central to the emerging global knowledge-based economy; 

can accelerate growth; 

can promote sustainable development; 

assist in eradicating poverty in developing countries and countries in 

transition. 

However, the following key issues and concerns were identified: 

e the “new economy” creates opportunities for economic growth and 
social development; 

e the majority of the world population still lives in poverty and rema- 
ins untouched by the ICT revolution; 

e there was a potential for economic development by developing co- 

untries to close the “digital divide” and in so doing ICTs should be 

utilized to foster “digital opportunity”. 


462 








Subsequently, the United Nations General Assembly resolved that legal sys- 
tems should: 


e protect the confidentiality, integrity and the availability of data and 
computer systems from unauthorized impairment; 
e ensure that criminal abuse is penalized.[3] 


3. The Modern Workplace in Perspective 


The pace of technological change and its influence on the modern workplace 
can be demonstrated by analyzing, specifically, the short history but imme- 
diate impact of telephones, computers and the internet in modern society. 


3.1 Telephone 


The telephone was invented in 1876 by Alexander Graham Bell. By 1880 the 
Bell Company had leased 100,000 instruments. 

By contrast, in 2007 Apple’s new “Iphone” is estimated to have sold be- 
tween 500,000 to 700,000 units in the first weekend of its sales. Each phone 
retailed for approximately US$499 to US$599. Accordingly, approximately 
US$250 million in sales are estimated to have occurred in one weekend alone. 

Trends in the relative cost of telephone usage also demonstrate the vast 
economies of scale in the international telecommunications system. The cost 
of a telephone call from New York to London was approximately a dollar in 
1950, six cents in 1990 and is essentially “free” today using the internet. 


3.2 Computers 


The first rotor machines were the subject of the Enigma patent in 1918. 

During World War II electro-mechanical “bombes” were developed toge- 
ther with the top secret Colossus computer. The Electronic Numerical Inte- 
grator and Computer was developed between 1943 and 1946. 

By 1965 Intel founder, Mr Graham Moore, described what became known 
subsequently as “Moores law”: that the number of transistors on a computer 
chip doubles every two years. As a result, a musical birthday card bought today 
has more computing power than the fastest main frame computers of the 1970s. 


3.3 The Internet 


The internet was invented in 1969 and used predominantly for email and file 
transfers. The HTTP (Hypertext Transfer Protocol) and HTML (Hypertext 
Markup Language) protocols were developed in 1989. Business to consumer 
(B2C) and business to business (B2B) data exchange, communication and com- 


463 


merce has spawned as a result. 

In March 2000 the “dot.com bubble” burst. However, the rate of inter- 
net usage is burgeoning. The 2006 Australian census determined that 58% of 
Australian households had an internet connection.[4] In 2007 it is reported 
that nearly a billion people use digital technology in their daily lives. Further, 
despite “the notorious dotcom collapses, estimates show that worldwide online 
trade exceeded US $2000 billion in 2002 with predicted increases in excess of 
US $12,800 billion by 2006: the European Union alone is expected to expe- 
rience on-line trade rising from €77billion in 2001 to €2.2trillion by 2006”.[5] 


4. Other trends in the workplace 


The technology changes occurring in the workplace are also occurring at the 
same time as a number of other significant changes. 
Major studies have identified the following trends: 


e a shifting workforce composition including an older workforce and 
an ageing population together with an increasingly female participa- 
tion in the workforce; 

e an increasingly skilled workforce with emphasis on “knowledge” 
based industries; 

e organisational changes in which firms are becoming more speciali- 
zed and are increasingly vertically disintegrated; 

e the nature of the employment environment has changed from the tra- 
ditional employer-employee relationship towards an increasing use of 
independent contractors, temporary workforce and, in some indu- 
stries, “e-lancing”’; 

e work locations now include temporary locations and “remote” work- 
places; 

e workplace education and training now includes ICT-based tra- 
ining.[6] 


These trends must also be borne in mind in seeking to identify the lia- 
bility issues in the workplace of the future and to manage their risks. 


5. Liability issues for the Workplace of the Future 


Until recently, domestic regulation of the workplace has not emphasized indi- 
vidual human rights. The common law has been reluctant to protect an indi- 
vidual’s right to privacy.[7] However, an increasing number of jurisdictions are 
adopting international principles of human rights into domestic law. 

The liability issues for the workplace of the future include: 


464 








global liability issues; 

jurisdiction — based issues; 

risk issues; 

data and document retention issues; 
human rights issues. 


5.1 Global Liability Issues 


Globalisation of commerce and trade gives rise to a potential liability in every 
jurisdiction in which a website is viewed or an email is published.[8] Provi- 
ded the jurisdictional basis exists, existing consumer protection legislation has 
the capacity to apply extra-territorially, for example, to misleading advertising 
on the internet[9] and to the operation of websites outside a country’s juris- 
diction engaging in inappropriate business practices.[10] Courts have reco- 
gnized the need for international co-operation in meeting the needs of 
consumers in the internet world[11] and have applied and enforced laws aga- 
inst companies and individuals located within a jurisdiction but operating out- 
side that jurisdiction.[12] 


5.2 Jurisdiction — based issues 


The remote workplace raises issues regarding the location of the “worker” 
which may differ from the location of the employer. Further, “home” offices 
may not satisfy specific occupational health and safety regulations which may 
apply in the office or traditional workplace. Further, insurance policies which 
may apply to liabilities arising from workplace activity are usually jurisdic- 
tion specific and contain United States exclusions. The internet is often de- 
scribed as “borderless”. 


5.3 Risk Issues 


Risk issues for the workplace for the future include viruses damaging own sys- 
tems and being forwarded to third parties. Third parties (hackers etc) have the 
capacity to damage systems through unauthorized access, sabotage and iden- 
tity theft. Data protection of confidential information will be paramount. The 
detection of fraud and other criminal practices will be a key consideration.[13] 

The protection of intellectual property is the subject of considerable interna- 
tional regulation and comity but the relative ease with which ICTs can be re- 
produced or reverse-engineered and their relatively short operational life mean 
that enforcement is often not effective or timely.[14] 

If an “e-risk” event occurs within an organisation the financial conse- 
quences include trading losses, business interruption, personnel downtime, data 
retrieval costs, reputation loss and restoration or remedial costs. The organi- 
sation the subject of such an event may itself be responsible to other parties (eg 


465 





customers or clients for privacy intrusions or suppliers to whom duties of care 
or contractual obligations are owed). 
5.4 Data and Document Retention Issues 


The “paperless office” has become an expression which has not been reflec- 
ted in reality. Innovation in rights management of documentation and the abi- 
lity of software to control the recipient of a document and how long it is 
accessible[15] gives rise to issues regarding data and document retention. In 
subsequent litigation, failure to establish suitable policy and system control 
procedures including control of access to relevant databases, programs, log- 
ging of changes, backup practices and audit procedures can give rise to docu- 
ments being rendered inadmissible.[16] 


5.5 Human rights issues 


Common law protection of an individual’s right to privacy has been inconsi- 
stent. General legislation protecting privacy has the capacity to regulate bre- 
aches of privacy principles.[17] For example, inadvertent disclosure of 
customer email addresses has been sanctioned.[18] 

Where necessary, specific legislation has the capacity to prohibit prac- 
tices which are not in the public interest and which, in effect, constitute inap- 
propriate and unwelcome interferences with an individual’s privacy, family, 
home or correspondence. For example, specific legislation has been enacted 
to prohibit: 


e “spam” making it illegal to send or cause to be sent “unsolicited com- 
mercial electronic messages ”; [19] 

e unsolicited telemarketing calls making it illegal to make unsolicited 
telemarketing calls to numbers listed on the register.[20] 


In addition, some jurisdictions have enacted human rights legislation 
which is reflective of the international charter of human rights in which the 
right of a person not to have his or her privacy, family, home or correspon- 
dence unlawfully or arbitrarily interfered with is protected.[21] 

The adoption of broad human rights principles raises complications for 
the regulation of ICTs: 


© some jurisdictions have ratified international human rights conven- 
tions but have not legislated for their application domestically;[22] 

e the expense and delay involved in the enforcement of human rights 
principles; 


466 








e the perception that human rights principles involve public law con- 
cepts (eg. judicial review) rather than private law rights and remedies 
including rights to compensation; 

e the interpretation and enforcement of human rights principles has 
been far from predictable, simple and consistent. 


6. Risk Management 


As with all risk management, the key elements for risk management of liabi- 
lity issues in the workplace of the future will include: 


e appropriate training and supervision; 

assessment of the threat, system characteristics and the physical and 
cyber environments in which those systems operate in a documented 
and comprehensive manner;[23] 

effective protocols and compliance. Specifically, in relation to ICTs 
these include: 

closed networks; 

intranets; 

firewalls; 

anti-virus protection; 

digital signatures; and 

encryption security 

maintenance procedures and systems including for managing and de- 
aling with security breaches. 


The inter-relationship in modern society between critical infrastructu- 
res (electric power, gas supply, water supply and waste treatment, rail transport 
and ICTs) has been described as “mutually and circularly dependent”. The In- 
ternational Risk Governance Council has concluded that “... our societies are 
most vulnerable to disruptions of electric power supply and disruptions to, or 
degradation of, ICT services”. It was their judgment that “a significant pro- 
blem for owners, managers and regulators is that the public and many offi- 
cials in government have limited knowledge of the vulnerabilities of these 
systems and of the risk factors that have increased during the past several de- 
cades. ”[24] The challenge for individuals, businesses and governments will 
be to identify relevant risks and to put in place appropriate risk management 
strategies or policy frameworks. 


7. Conclusion 


The future workplace has the very real prospect of leading to a digital divide 


467 


rather than fostering digital opportunity. The identification and regulation of 
liability issues will present a key challenge to the equitable allocation of ICTs 
worldwide. A fundamental factor in the success of such a worthwhile goal is 
an awareness of the relevance, and consistent application, of human rights prin- 
ciples to an area which has historically been marked by a “survival of the fit- 
test” and a “first to market” mentality. 

What cannot be overlooked is that human rights “should be seen as in- 
forming almost everything lawyers and courts do” [25] This includes the re- 
gulation of the workplace environment now and in the future. 

One individual whose corporation has so revolutionized the workplace 
and been a driving and dominant force in the ICT phenomenon has said: 


“During the last decade, digital technology has changed the world in 
profound and exciting ways. Today we communicate instantly with pe- 
ople we care about without worrying about the traditional limitations of 
time and location. At work, we collaborate with colleagues in distant ci- 
ties ... But these changes are just the beginning. [26] 


If the current stage of ICT development is in its infancy then the chal- 
lenge to society and the legal environment of regulation, liability allocation 
and risk management will be to strike a balance between innovation and com- 
petition and the protection of fundamental human rights in the workplace of the 
future. 


Notes 


[1] United Nations, Information Economy Report 2005 Chapter 5; Rand Corporation 
(2004), The 21 Century at Work: Forces Shaping the Future Workforce and Work- 
place in the United States; Irish National Centre for Partnership and Performance 
(2005) Working to our Advantage — A National Workplace Strategy: Report of the 
Forum of the Workplace of the Future. 


[2] See http://www.technology.gov/digeconomy/framewrk.htm 

[3] United Nations General Assembly Resolutions 55/63 (2001) and 56/121 (2002) 

[4] Australian Bureau of Statistics, (2007) Media Release 070628CA-8093 

[5] Smith, Regulating E-Commerce in the WTO: Exploring the Classification Issue in 


Graham and Smith, (2004) Competition, Regulation and the New Economy, Hart 
Publishing at 159. 

[6] Rand Corporation (above, note 1). 

[7] A common law right to privacy was left open by the High Court of Australia in Aus- 
tralian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199. 
Subsequent cases in the State Supreme Courts of Australia have in one instance up- 
held a right to privacy (Grosse v Purvis [2003] QDC 151) and in another case in a dif- 
ferent State of Australia not found a right to privacy (Giller v Procopets [2004] VSC 
113). 


468 








[8] See observations made by the High Court of Australia in Dow Jones & Company Inc 
v Gutnick (2002) 210 CLR 575. 


[9] Australian Competition and Consumer Commission v Hughes [2002] FCA 270. 
[10] Australian Competition and Consumer Commission v Chen [2002] FCA 1248. 
[11] Australian Competition and Consumer Commission v Chen (above, note 10). 


[12] World Play Services Pty Ltd v Australian Competition and Consumer Commission 
[2005] FCAFC 70. 


[13] For example, an employer was found vicariously liable for the fraud of its employee 
who accessed and transferred monies from the bank account of a person for whom she 
was responsible for caring: Ffrench v Sestilli [2007] SASC 241. 


[14] Views are divided amongst industry experts about the effectiveness of regulation and 
protection of intellectual property in the face of escalating internet piracy: see J Torr, 
(2005) Internet Piracy, Thomson Gale. 


[15] B. Gates, Chairman, Microsoft Corporation, Enabling Secure Anywhere Access in a 
Connected World (6 February 2007): See http://www.microsoft.com/mscorp/exec- 
mail/2007/02-06secureaccess.mspx. 


[16] American Express v Vinhnee 336 BR 437 16 December 2006 9" Circuit. 
[17] See the Privacy Act 1988 (Commonwealth of Australia). 

[18] O v Large Retail Organisations [2004] Priv Cmr A 2. 

[19] See the Spam Act 2003 (Commonwealth of Australia). 

[20] See the Do Not Call Register Act 2006 (Commonwealth of Australia). 


[21] Charter of Human Rights and Responsibilities Act 2006 (Victoria); Human Rights 
Act 2004 (Australian Capital Territory) 

[22] Eg Australia. See Hettiarachi, “Some Things Borrowed, Some Things New: An 
Overview of Judicial Review of Legislation under the Charter of Human Rights and 
Responsibilities (2007) OUCLJ 61 at 66. 

[23] Risk Management Guide for Information Technology Systems, National Institute of 
Standards and Technology, Special Publication 800-30, January 2002 and more re- 
cently International Organization for Standardisation and International Electrotech- 
nical Commission ISO/ IEC 27002:2005 (July 2007) 

[24] International Risk Governance Council (2006), Managing and Reducing Social Vul- 
nerabilities from Coupled Critical Infrastructures (White Paper No.3). 

[25] M Warren AC, “Introduction to Human Rights Law: Seminar — Part 1” (2007) 81 ALJ 
245 at 246. 


[26] B Gates, Chairman, Microsoft Corporation 6 February 2007, see note [15] above. 


469 





Global Technology and Modern Commercial Agency of 
Necessity 


Tim Vollans 
Principal Lecturer in Law 
Coventry University Law School 
Priory Street, Coventry, UK 
t.vollans@coventry.ac.uk 


Abstract. In Anglo-Saxon common law, the courts have allowed 
agency of necessity to develop to meet the prevailing commercial needs, 
but also restricted its development through the imposition of demanding 
criteria. After summarising and distinguishing the basic principles ap- 
plicable to the ‘full’ doctrine of agency of necessity and the ‘more limi- 
ted’ sub-doctrine relating to reimbursement of agent’s expense, this 
paper locates and analyses the current application of the doctrine’s cri- 
teria in the age of ubiquitous mobile phones, synchronous internet com- 
munications, email, and immediate money transfers. It concludes by 
suggesting that the development of the doctrine is inhibited less by im- 
proved communication systems and more by the strict and narrow test 
applied to identify the required ‘necessity’. 


1. Introduction 


Agency is based upon consensual obligations between the agent and the prin- 
cipal, but the emergent Georgian commercial community required judicial in- 
tervention to assist in achieving some desired commercial objectives. As 
McCardie J. explained in Prager v. Blatspiel, Stamp and Heacock Ltd [1924] 
1 K.B. 566 at 570: 


‘The object of the common law is to solve difficulties and adjust 
relations in social and commercial life. It must meet, so far as it 
can, sets of fact abnormal as well as usual. It must grow with the 
development of the nation. It must face and deal with changing 
or novel circumstances. Unless it can do that it fails in its function 
and declines in its dignity and value. An expanding society 
demands an expanding common law.’ 


Agency of necessity addressed the problem articulated by Lynskey J. in 
Munro v. Willmott [1949] 1 K.B. 295 at 297: 


‘masters of ships who found themselves in foreign parts and una- 


ble to get immediate instructions from their owners when they 
needed money for expenses which had not been provided for’ 


471 


Other jurisdictions have addressed the need merely by extending im- 
plied authority in an emergency (Reynolds, 1990 referring to Mechem, 1914) 
but English law plugged the gap by the doctrine of ‘agency of necessity’, a co- 
usin of the law of salvage, permitting the sale of cargo or the pledging of a 
vessel to raise funds expressly to allow the voyage to continue - Arthur v. Bar- 
ton (1840) 6 M & W 138. It curiously lacks coherence (Bowstead and Rey- 
nolds, at 4-002) and in Re Banque Des Marchands De Moscou [1952] 1 AlL ER 
1269 (at 1277), Vaisey J. spoke of ‘this strange notion of an agency of neces- 
sity’. Over the years, the courts have adapted it, and until August 1* 1970 it 
extended even into matrimonial relations (41(1) Matrimonial Proceedings and 
Property Act 1970). Whilst the courts normally seek some pre-existing con- 
tractual relationship between the principal and the agent, and evidence that the 
goods are perishable, there are instances where the doctrine has been applied 
notwithstanding the absence of either (or both). It enables one party (the agent) 
to bind another (the principal) in a contract with a stranger (the third party who 
consequentially acquires good title to property) where the agent lacks any other 
right to do so. The consequential devil is that the third party can be confident 
of the application of the doctrine only through satisfaction of all the criteria: but 
the third party lacks the means of ascertaining the satisfaction of those criteria 
— a problem epitomised in the requirement of the impossibility of the ‘agent’ 
to secure instructions. Whilst the third party may not know what steps the agent 
has taken to secure authority, he cannot rely on the agent’s own assertions as 
to his authority (Armagas Ltd v. Mundogas SA (The Ocean Frost) [1986] A.C. 
717). The consequential paradox is that the doctrine denies the parties the im- 
mediate certainty that the doctrine sought to provide. 

This article summarises and distinguishes the basic principles applica- 
ble to the ‘full’ doctrine of agency of necessity and the ‘more limited’ doctrine 
relating to reimbursement of agent’s expense. Through examination of some re- 
cent cases, it will then locate and analyse the current application of the do- 
ctrine in the age of ubiquitous mobile phones, synchronous internet 
communications, email, and immediate money transfers. By way of conclu- 
sion it will suggest that the principal bar to the further application of the do- 
ctrine is not the existence of enhanced communication through advanced 
technology, but the strict and narrow test applied to identify the “necessity” of 
action. 


2. The Consensual Nature of Agency 


The received view is that the operation of the law of agency is usually based on 
some element of consensus between the principal and the agent or some repre- 
sentation by the principal. According to Bowstead and Reynolds (at 4-002), it is: 


472 








"the fiduciary relationship which exists between two persons, one 
of whom expressly or impliedly manifestly assents that the other 
should act on his behalf so as to affect his relations with third 
parties, and the other of whom similarly manifestly assents so to 
act or so acts" 


Professor Fridman prefers to identify agency through its legal consequences: 


"the relationship which exists between two persons ... in such a 
way as to be able to affect the principal's legal position in respect 
of strangers to the relationship". 


This dichotomy of approach reflects the courts’ traditional reluctance to 
impose any obligation unwillingly or unknowingly incurred. Bowen L.J. expla- 
ined in Falcke v. Scottish Imperial Insurance (1886) 34 Ch D 234 at 248: 


“The general principle is, beyond all question, that work and la- 
bour done or money expended by one man to preserve or bene- 
fit the property of another do not according to English law create 
any lien upon the property saved or benefited, nor, even if stan- 
ding alone, create any obligation to repay the expenditure. Lia- 
bilities are not to be forced upon people behind their backs any 
more than you can confer a benefit upon a man against his will.” 


Accordingly, the supposed doctrine of “agency of necessity” is a curiously rare 
exception; and fragmentally and imperfectly developed for several reasons of 
policy. It ranks as one of the three exceptions (the others are salvage and ac- 
ceptance of a bill for honour supra protest) to the general rule that unrequested 
work will create no legally enforceable right to remuneration. Nevertheless it 
seeks to accommodate commercial realism within the constraints of a strict 
legal doctrine; and consequently the doctrine has, over the years, enwrapped a 
number of separate (and disparate) sub doctrines, some of which, such as the 
wife’s agency of necessity, have been abolished. A ship’s Master now has im- 
plied authority to enter salvage agreements for the cargo (The Choko Star 
[1990] 1 Lloyds’s Rep 516); but, as Lynskey J. observed in Munro v. Willmott 
[1949] 1 K.B. 295 at 297,: 


“The master the always had power to sell or hypothecate the ship, 
in some cases to dispose of the cargo, and so forth as an agent of 
necessity.” 


Agency of necessity imputes to one party (the agent) the principal’s au- 


thority to bind the principal in a contract with a stranger (the third party) tho- 
ugh the ‘agent’ lacks any other right to so contract. As a consequence, one 


473 





unusual characteristic of agency of necessity is that it operates without the 
knowledge or will of the principal or any representation by him; and whilst the 
courts will usually prefer evidence of some pre-existing contractual relation- 
ship between the principal and the agent, the doctrine is not conditional upon 
such a relationship. 

Establishing the doctrine consequently validates the otherwise unau- 
thorised acts of the agent, and thrusts the validity of the agent’s actions upon 
the principal; and thereby creates two separate results in two separate rela- 
tionships as Lord Diplock explained in China-Pacific SA v. Food Corpn of 
India. The Winson [1982] AC 939 (at 958): 


“the effect of conferring on [the agent] authority to create con- 
tractual rights and obligations between that other person and a 
third party that are directly enforceable by each against the other.” 


This includes passing good title to goods to a third party, and (as usually 
the onus is on the agent to establish the application of the doctrine - Gillespie 
Bros, Proprietary, Ltd v. Burns, Philp & Co., Ltd 79 LI L Rep 393) authorising 
a defence against the principal’s action in conversion against the third party 
and, entitling the agent to fees, commission, and re-imbursement of expenses. 

Given this lack of consensual agreement, it is understandable that the 
courts have exercised ambivalent caution in the development of the doctrine. 
The expansion of the doctrine favoured by McCardie J. in Prager was promp- 
tly and firmly rejected by Scrutton L.J. in Jebara v. Ottoman Bank [1927] 2 
K.B. 254, at 270; and in Sedgwick, Collins & Co Ltd v. Highton and Others 
[1929] 34 LIL. Rep. 448 Wright J. denied the doctrine in respect of a policy 
of insurance: 


“The doctrine ... has only been applied to the case of people who 
had in their possession, custody or control entrusted to them for 
one reason or another goods and property, and in certain limited 
cases it has been held that they were entitled to take steps for the 
preservation of that property in the case of urgent necessity and 
charge the cost of so doing to the principals or justify the so 
doing; for instance, if they sell the goods as against their princi- 
pals in an action claiming damages.” 


Whilst recognising the need to adapt the principle for modern circum- 
stances, Lord Goddard warned in Sachs v. Miklos [1948] 2 K.B. 23 at 36: 


“It is, however, fairly clear from Scrutton L.J.'s judgment in Je- 


bara v. Ottoman Bank, and it is certainly my opinion, that the 
court should be slow to increase the classes of those who can be 


474 








looked upon as agents of necessity in selling or disposing of other 
people's goods without the authority of the owners.” 


3. Sub-doctrinal Developments 


The doctrine was originally maritime based but subsequently extended into 
terrene situations and where person seeks entitlement to recover reasonable 
expenses. As regards the former, Stoljar observed that a person may be faced 
with the same necessity to act on land as those at sea and Lord Goddard com- 
mented in Sachs, at 35: 


“There is no reason why, if it becomes commercially impossible, 
or extraordinarily difficult, for example, in the case of a strike or 
other breakdown of communications, for a carrier to communi- 
cate with the owner of goods, he should not be entitled to sell or 
dispose of them in the same way as a master of a ship.” 


Nevertheless, his Lordship warned (at 36) that the doctrine was not in- 
finitely elastic and emphasised that the criteria for terrene and maritime appli- 
cations were very different: 


“I know, however, of no case in which the doctrine of agency of 
necessity has been applied to carriers by land except where the 
goods are perishable or in a somewhat similar category, that is to 
say, livestock, which have to be tended, fed and watered.” 


As discussed below, the terrene cases do, however, provide guidance as 
to ‘emergency’ and ‘necessity’ 

The second ‘sub-doctrine’, where an ‘agent’ seeks entitlement to reco- 
ver reasonable expenses, fits uneasily into ‘agency of necessity’, since the 
‘agent’ is not altering the position of the principal vis-a-vis any third party. As 
Lord Diplock commented in The Winson (at 958), this ‘sub-doctrine’ is based 
on 


“cases where the only relevant question is whether a person who 
without obtaining instructions from the owner of the goods incurs 
expense in taking steps that are reasonably necessary for their 
preservation is entitled to recover from the owner of the goods the 
reasonable expenses incurred by him in taking those steps” 


In addition, the significant case law on the latter addresses only terrene 
situations, thereby muddling the two sub-doctrines. However, the starting point 
is that there is no fundamental principle entitling reimbursement. In Binsted v. 


475 


Buck (1777) 2 Wm BI 1117 the court refused reimbursement of expenses for 
caring for a stray animal or one found by a river, and in Nicholson v. Chapman 
2 H BL 254, the court refused payment to the bailiff’s man who recovered 
loose timbers from the Thames and stored them safely. Whilst the claim was 
not asserted under agency of necessity, Lord Eyre C.J. (at 259) refused to 
extend maritime principles to a tidal river: 


“it is better for the public that these voluntary acts of benevo- 
lence from one man to another, which are charities and moral du- 
ties, but not legal duties, should depend altogether fore their 
reward upon the moral duty of gratitude.” 


Similarly, in Hawtayne v. Bourne (1841) 7 M & W 595, the court refu- 
sed reimbursement of a mine manager’s borrowings to pay miners and avoid 
seizure of the employer’s property. However, the suspicion remains of an 

expectation that agents should protect the principal’s property, as in Bank 
of New South Wales v. Owston ((1879) 4 App. Cas. 270, at 290): 


"An authority to be exercised only in cases of emergency, and 
derived from the exigency of the occasion, is evidently a limited 
one, and before it can arise a state of facts must exist which 
shows that such exigency is present, or from which it might re- 
asonably be supposed to be present. If a general authority is pro- 
ved, it is enough to show, commonly, that the agent was acting in 
what he did on behalf of his principal." 


So, the apparently divergent sub-doctrines become reconcilable where 
there is an existing agency relationship (typically master and servant), and the 
courts often bend ‘implied authority’ to meet the situation as in Poland v. John 
Parr & Sons [1927] 2 K.B. 236 where the court classified a servant’s authority 
to protect his master’s endangered property as implied rather than agency of ne- 
cessity. 

Some of the shortcomings from this narrow approach have been ad- 
dressed by the Torts (Interference with Goods) Act 1977 and others by the de- 
velopment of restitution e.g. where the intervener is a professional performing 
a professional service (Surrey Breakdown Ltd v. Knight [1999] RTR 84). Yet, 
the cases still warrant examination as providing a fruitful exposition of “ne- 
cessity”. 


4. Principal Doctrinal requirements 


The roots of the doctrine of ‘agency of necessity’ lie in a maritime context. Re- 
cently, in The "P4 Mar" [1999] 1 Lloyd’s Rep 338, at 341 Clarke J. re-iterated 


476 








the four principal criteria for the application of the doctrine in the context of 
salvage: 

“(i) it is necessary to take salvage assistance, and 

(ii) it is not reasonably practicable to communicate with the 

cargo-owners or to obtain their instructions; and 

(iii) the master or ship owners act bona fide in the interests 

of the cargo; and 

(iv) it is reasonable for the master or ship owner to enter 

into the particular contract... 


In Brice, Maritime Law of Salvage, second edition, 1993, the author writes, 
after referring to this passage: 


There are of course countless situations which may arise so as 
to require that salvage assistance be provided to a ship and her 
cargo. It is probable that, at least in most cases, where the danger 
to the vessel is such that the services rendered would, in accor- 
dance with the ordinary principles of law be categorised as sa- 
lvage services, that the degree of danger to which the ship and 
cargo are exposed will be such as to amount to an "emergency" 
giving rise to a "necessity" for taking action to protect ship and 
cargo in the form of engaging a salvor to perform salvage servi- 
ces.” ” 


However, these criteria, only slightly refined, have found equal appli- 
cation in general commercial contexts. 

Firstly, although in The Bonita (1861) 1 Lush 252, the court advanced 
‘emergency’ as an alternative to ‘necessity, in The "PA Mar" Clarke J. clearly 
endorsed a two stage test for necessity: an emergency and consequential ne- 
cessity of action. ‘Emergency’ implies a compelling need for action to be ef- 
fected and the urgency of such execution, rather than mere prudence, 
desirability, inconvenience or nuisance; but the compelling need not be on the 
high seas. In The Gratitudine [1775-1802] All ER Rep 283, 3 Ch Rob 240, Sir 
William Scott applied the doctrine to a vessel and cargo in port: 


“Suppose the case of a ship driven into port with a perishable 
cargo where the master could hold no correspondence with the 
proprietor; suppose the vessel unable to proceed, or to stand in 
need of repairs to enable her to proceed in time. In such emer- 
gencies the authority of agent is necessarily devolved upon him 
unless it could be supposed to be the policy of the law that the 
cargo should be left to perish without care. What must be done? 
He must in such case exercise his judgment, whether it would be 
better to tranship the cargo, if he has the means, or to sell it.” 


477 


The need to act is objectively tested (Tetley & Co. v. British Trade Corp (1922) 
10 LIL Rep. 678) as Wright J. commented, in Sedgwick, Collins & Co Ltd v. 
Highton and Others [1929] 34 LI.L.Rep. 448 at 456: 


“I do not find anywhere any suggestion that to effect an insu- 
rance in circumstances like these could come within the scope of 
an agency of necessity. The question of whether a man should 
insure or not insure is essentially a matter for his own judgment.” 


In Australasian Steam Navigation Co v. Morse (1872) LR 4 PC 222, Sir Mon- 
tague Smith described “emergency” (at 230) as: 


“an irresistible compelling power — what is meant by it in such 
cases is, the force of circumstances which determines the course 
a man ought to take”. 


But that compelling power is unlikely to include commercial or financial pres- 
sures, as Singleton L.J. indicated in John Koch, Ltd v. C. & H. Products Ltd 
[1956] 2 Lloyd's Rep 59, at 65: 


“T do not consider that the question of agency of necessity arises 
upon the facts of this case. Storage charges were running. No one 
doubted the ability of the defendants to meet them .... It was not 
suggested by them that there was any question of the defendants’ 
financial stability.” 


The emergency might derive from external events, the character of the assets, 
or the combination thereof, but it is clear that the ‘necessity’ must relate to the 
nature of the entrusted goods and the risks to which they were exposed to place 
them i.e. either or both of the vessel and the cargo needing protection or pre- 
servation from an immediate risk of loss (Kleinwort, Cohen, & Co. v. The 
Cassa Marittima of Genoa (1876-77) L.R. 2 App. Cas. 156). Thus, there is no 
‘emergency’ where goods can be safely stored, as McCardie J. emphasised in 
respect of the furs in Prager (at 573): 


“The measure of deterioration depends on whether they are 
properly stored. If put into cold storage the deterioration is very 
little... I see no adequate reason for the sale by the defendants, 
for I am satisfied that there was nothing to prevent the defendants 
from putting them into cold storage, and certainly nothing to 
prevent them from keeping them with proper care in their own 
warehouse.” 


Underlining the point, his Lordship proceeded to advance a cost / benefit test: 


478 








“The expense of cold or other storage would have been but slight 
compared with the value of the furs. The plaintiff had given 
nearly 19001. for them, and they steadily rose in value. The contra 
account of the defendants was less than 4001. The margin 
therefore was of the most ample description.” 


Similarly, in Sachs, Miklos could not terminate the voluntary and gra- 
tuitous bailment of furniture (non —perishables) even though the continued sto- 
rage hampered Miklos’ business. The courts take a different approach in respect 
of living animals and to “non-perishable chattels” at risk (at 36): 


“In this particular case, whatever else there may have been, there 
was certainly no emergency. It was not a case where the house 
had been destroyed and the furniture left exposed to thieves and 
the weather. “ 


This approach was reiterated by Lynskey J. in Munro at 298: 


“There is no real evidence that there was any necessity for the 
defendant to dispose of the car. He may have found it 
inconvenient - to some degree a nuisance; but that is not an 
emergency which compels him to dispose of it.” 


The classic examples of compelling immediacy are the deteriorating soft 
produce (Springer v. Great Western Railway [1921] 1 K.B. 257); the disposal 
of rotting oranges (Freeman & Co. v. Macandrews & Co Ltd (unreported) KBD 
1929); the stabling fees of the horse which could not be delivered due to no 
fault of the company (Great Northern Railway Co v. Swaffield (1874) LR 9 
Exch 132); and the services of the veterinary surgeon for an injured dog (Pal- 
mer v. Stear (1963) 113 L.J. 420). Other situations must require prompt inte- 
rvention such as effective traffic management (White v. Troups Transport 
[1976] C.L.Y. 33). 

In contrast, in Surrey Breakdown, the Court of Appeal recognised the ad- 
aptability of the doctrine but rejected the contention that storing a stolen car 
under a statutory power constituted a compelling emergency. As Staughton J. 
admitted (at 88): 


“The doctrine of agency of necessity is not wholly settled in En- 
glish law ... However, the modern view is to be found at Ch 15 
in Goff and Jones on the Law of Restitution 4th ed., and in par- 
ticular at page 373. There it is said that to support an agency of 
necessity — 

"[it] must have compelled the intervention. The emer- 
gency must be so pressing as to compel intervention without the 
property owner's authority.” 


479 


More recently, in The Winson (at 967), Lord Simon reinforced the need 
for immediate action by reference to goods being in “imminent j eopardy”. De- 
spite the variety of scenarios, common to all these cases is the court’s demand 
that action needs to be taken. 

The second requirement is an inability to secure instructions from the 
owner directly (or via an authorised local representative of the ship owners - 
Gunn) or, an absence of a reply (The Winson). However, this is predicated 
upon convenient communications and “an opportunity to consult” (per Lord 
Esher in Gwilliam v. Twist [1895] 2 Q.B. 84 at 87). The only excuse for failing 
to endeavour to communicate is commercial impracticality. Over two hundred 
years ago, Sir Montague Smith explained in Kleinwort, Cohen, & Co, at 157 

And later 


"If according to the circumstances in which he is placed it be re- 
asonable that he should--if it be rational to expect that he may-- 
obtain an answer within a time not inconvenient with reference 
to the circumstances of the case, then it must be taken upon au- 
thority and principle that it is the duty of the master to do so, or 
at least to make the attempt.” 


In Sims & Co v. Midland Railway Co. [1913] 1 KB 103 at 112. Scrutton 
J. (as he then was) proposed a realistic test: “practically impossible to get the 
owner’s instructions in time,” and later, in Springer, Salter J. (at first instance) 
emphasised, at 262, that whilst each instance would turn on its own facts, the 
onus is upon the agent to show good reason for failing to secure instructions: 


“commercially impracticable to communicate with the plaintiff 
... but I think it is safe to say that if communication is physically 
possible without disproportionate expense, and if there is reason 
to expect that instructions can be obtained before a final decision 
must be made, then the carrier must at least attempt to obtain 
such instructions before he deals with the goods otherwise than 
under the express terms of the contract of carriage.” 


On appeal, Scrutton L.J. accepted (at 267) for cases of multiple princi- 
pals (e.g. multiple cargo owners) a “commercially impossible” test — later con- 
firmed in the Choko Star. However, within a half century, methods of 
communication, and therefore expectations, had changed, as Willmer L.J. in- 
dicated in Blandy Brothers & Co. v. Nello Simoni Ltd, [1963] 2 Lloyd's Rep 393 
at 401: 

“It was pointed out (and I think it cannot be contested) that in 
this case, telegraphic communication between Funchal and Lon- 


don being readily available, no question of agency of necessity 
could possibly arise.” 


480 








In Sachs Lord Goddard suggested that where the agent’s repeated com- 
munications (letters correctly addressed and posted, and attempted telephone 
calls but without necessitating a personal local search) have elicited no re- 
sponse from the principal (at 37): 


“A court may possibly infer that the [owner] was so disinterested 
in it that he was impliedly assenting to the sale”. 


The flaw in this approach is that by admitting an absence of urgency, he 
is denying the ‘emergency’ — an essential ingredient for the doctrine. 

Whilst failure to seek instructions is fatal to the application of the do- 
ctrine (McVittie v. Bolton Corporation [1945] KB 281), the principal is equally 
expected to respond to such request. In Ridyard v. Roberts (unreported) the 
Court of Appeal confirmed the application of the doctrine where a landowner 
had sold three ponies after their owners had failed to respond to numerous re- 
quests to remove them. There, Megaw L.J. explained: 


“ ‘Tt is apparently enough if the agent asked his principal for in- 
structions but the principal ignored his request.’ ... it certainly is 
a matter which falls importantly to be taken into account ... if he 
has taken reasonable steps to get instructions from his principal 
and he has received no such instructions, particularly where it is 
apparent that the absence of instructions is deliberate and ultro- 
neous.” 


These cases emphasise that the impossibility to secure instructions, or 
where the principal ignores the need to decide, as distinct from a refusal of au- 
thority as explained, with limitations, by Evans J in Graanhandel T Vink BV 
v. European Grain & Shipping Ltd [1989] 2 Lloyd’s Rep 531, Evans J.: 


“..no question of agency can arise if the necessary authority has 
been expressly refused. That was the effect of certain dicta in 
Morton v Chapman itself and there is a supporting passage in 
Benjamin on Sale (par 190). I would venture respectfully to doubt 
whether that is necessarily always the case: one can envisage cir- 
cumstances where a buyer does establish the need to sell, where 
it might well be argued that the seller's refusal to acknowledge 
those facts would not prevent the buyer from alleging that the 
agency did exist.” 


Despite that obiter comment, the requirement remains that the agent has 
to be unable to secure instructions from his principal. The tests are strict and 
the courts have rightly interpreted them narrowly to protect the principal. 

Thirdly, the putative agent has to act bona fide and with the intention to 


481 


preserve or protect that property in the principal’s best interests (Prager). As 
Sir William Scott explained in The Gratitudine (1801) 3 Ch Rob 240: 


“In all cases it is the prospect of benefit to the proprietor that is 
the foundation of the authority of the master.” 


Where motives are manifold, Lord Simon suggested in The Winson (at 
966) that the dominant motive test is applied, and so, in Prager, McCardie J. 
observed at 572: 


“an alleged agent of necessity must satisfy the Court that he was 
acting bona fide in the interests of the parties concerned. In Ew- 
bank v. Nutting [(1849) 7 C. B. 797, 804] ... Coltman J. said du- 
ring the argument: 

‘Does not the authority of the master extend to acts such as he, 
in the exercise of an honest judgment, thinks the best for the in- 
terest of the owner of both ship and goods?’ " 


Whilst Markesinis & Munday prefer the ‘interest mainly served’ test, in 
The Winson, Lord Simon mused, obiter, at 966, on whether the test should be 
‘the interest mainly served’ or ‘dominant motive’: 


“The law does not seem to have determined in this context what 
ensues where interests are manifold or motives mixed: it may 
well be that the court will look to the interest mainly served or to 
the dominant motive.” 


Finally, the agent’s action is reasonable and prudent, and therefore im- 
plicitly not unusual, e.g. borrowing money as in Hawtayne. However, the test 
is dependant upon the facts, as Lindley L.J. explained in James Phelps & Co 
v. Hill [1891] 1 QB 605 at 610: 


“in considering what is reasonably necessary any material cir- 


cumstance must be taken into account, e.g. danger, distance, ac- 
commodation, expense time and so forth.” 


Whilst the courts have readily adapted the doctrine to new scenarios, 
they continue to apply the four main tests with considerable strictness. 


5. Modern Communications 


The doctrine’s requirement that the agent has to be unable to secure instructions 
from his principal, was clearly essential to limit the application to true cases of 
necessity, and thereby protect the principal. The corollary is that where autho- 


482 








rity is refused, agency of necessity cannot arise, as Evans J. explained in Gra- 
anhandel T Vink BV: 


“[In] Morton v Chapman (1843) 11 M & W 534 ... the defen- 
dants' initial response was to say that they would sell the goods 
for the account of the plaintiffs. In reply, the sellers made it clear 
that they refused authority. ... the Court did not regard the case 
as one where the buyers could claim to be acting as agents of ne- 
cessity on behalf of the sellers” 


Given that the doctrine is intended to be applicable in extreme circum- 
stances only, it is unsurprising that so many cases have turned on the failure to 
seek instructions. The problem is further compounded by technological ad- 
vances. As Bowstead observes (at 4-007) the impossibility of securing in- 
structions is rare in the modern world. Markesinis and Munday similarly 
comment (at p 56) 


“With today’s improved communications, it may be difficult for 
the agent to establish that communication was practically im- 
possible” 


and Professor Fridman suggests (at p 135): 


“Tt must be impossible for the master to be able to communicate 
with the owners of the ship or cargo and ask for instructions [The 
Australia (1859) 8 Moo PCC 132] (which seems severely to limit 
the operation of this form of agency in the light of modern com- 
munications although it may be relevant where there are nume- 
rous cargo owners).” 


A further point is that agency of necessity developed to address the problems 
of money transfer as Sir John Jervis explained in The Oriental 7 Moo. P. C. 398 
at 411: 


"electric telegraph will not carry money, but to send a communi- 
cation on the one hand and receive an answer on the other." 


However, the focus on the growth and ease of communication as influencing 
the development of agency of necessity risks blinding commentators to the 
modern ease of money transfer. The consequence is that today, if communica- 
tions have all but eliminated the impossibility of obtaining instructions, those 
communication systems have also facilitated global money transfer almost to 
the extinction of agency of necessity. 


483 





6. Agency of Necessity in the Twenty-first Century 


As agency of necessity was established some centuries ago, it is easy to argue 
that the basic principles applicable to the ‘full’ doctrine of agency of necessity 
and the ‘more limited’ doctrine relating to reimbursement of agent’s expense 
characterise it as an anachronistic hang-over falling into disquietude. However, 
it must be remembered that much against the continuing prevailing ethos of 
agency, the doctrine of agency of necessity thrusts the validity of the agent’s 
actions upon the principal. Accordingly, it is right that, to protect the principal 
and limit the doctrine only to instances where his property is truly endangered, 
the tests are strictly and narrowly interpreted. 

Modern communication is ubiquitous and instantaneous: common. Tech- 
nological advances in communication have effectively facilitated global money 
transfer — the lack of which was a significant contribution to the growth of 
agency of necessity. Unsurprisingly, major academic commentators have all 
questioned the future of the doctrine on reasoning that modern communica- 
tions have eliminated one essential criteria — the impossibility of obtaining in- 
„structions. 

Ironically, analysis of the cases demonstrates that in agency of necessity 
the courts have struggled with the concepts of “emergency” and “necessity” ra- 
i ther than communication. So, the principal bar to the further application of the 
doctrine is not the existence of enhanced communication through advanced 
technology, but the strict and narrow test applied to identify the “necessity” of 
action. 


References 


1. Fridman, G.H.L. (1996) Law of Agency, 7 Ed, Butterworths, London. 

2. Markesinis, B.S. and Munday, R.J.C. (1998) An Outline of the Law of Agency, 4" Edi- 
tion, Butterworths, London. 

3. Mechem, F.R. A Treatise on the Law of Agency, (1914) 2" Ed. Callaghan and Co., Chi- 
cago, USA. 

4. Reynolds, F.M.B. Agency of Necessity, Journal of Business Law, 1990, Nov, 505. 

5. Reynolds, F.M.B. Bowstead and Reynolds on Agency (2006) 18" Ed. Sweet & Ma- 
xwell, London. 

6. Stoljar, S.J. Law of Agency (1961) Sweet & Maxwell, London. 

7. Trietel, G.H. The Law of Contract (1995) 9% Ed Sweet & Maxwell, London. 


484 








SafeSeaNet and Traffic Monitoring of Ships and 
Dangerous or Polluting goods in Maritime transport 
within the European Economic Area 


Einar Hannesson 
Officer 
EFTA Surveillance Authority, Rue Belliard 35, 1040 Brussels 
eha@eftasurv.int 


Abstract: The European Union has established an extensive ves- 
sel traffic monitoring and information system with a view to enhancing 
the safety and efficiency of maritime traffic. This new information sys- 
tem will be mandated in most ships and provide the EU Member States 
and the European Commission with various information pertaining to 
cargo and traffic routes. The information system requires telematic ex- 
change of data according to defined syntax and procedures and has sanc- 
tions based on EU Law for non-compliance. The information system is 
first and foremost the brainchild of the EU but is also interlinked with 
several International Conventions pertaining to prevention of pollution 
and maritime security. The information system will be mandatory within 
the European Economic Area and will, therefore, concern maritime traf- 
fic in most European waters — from the North-Atlantic Ocean to the 
Black Sea. 


Maritime and law 


Maritime transport is an ancient channel for commerce and maritime law has 
several distinctive characteristics from general commercial law. It has well es- 
tablished principles for the resolution of disputes involving maritime trade de- 
veloped very early in recorded history. Maritime law and shipping is 
international by nature as most of the trade is across borders and not confined 
to a single jurisdiction. Maritime law or Admiralty law is, therefore, largely 
based on a body of private international law governing the relationships be- 
tween private entities which operate vessels on the oceans. The Law of the 
Sea, however, is a body of public international law dealing with navigational 
rights, mineral rights, and jurisdiction over coastal waters and international 
law governing relationships between nations. In more recent times, many of 
these functions have been taken over by an international organization, the In- 
ternational Maritime Organization (IMO). 

The IMO has prepared numerous international conventions concerning 
maritime safety including the Safety of Life at Sea Convention (SOLAS), the 
Standards for Training, Certification, and Watchkeeping (STCW), the Colli- 


485 


sion Regulations (COLREGS), Maritime Pollution Regulations (MARPOL), 
International Aeronautical and Maritime Search and Rescue Convention 
(IAMSAR). The United Nations Convention on the Law of the Sea (UNC- 
LOS) is the main legal instrument regarding protection of the marine environ- 
ment and various maritime boundaries. [1] ` 

Maritime disasters have proved to be a strong incentive for the adoption 
of new Laws and Conventions. The establishment of the IMO and the creation 
of the first SOLAS Convention are linked to the Titanic disaster and the ban- 
ning of single hull oil tankers in Northern America, and eventually elsewhere, 
might be related to the Exxon Valdez oil spill in Alaska. Maritime disasters in 
Europe have also resulted in changes of European Community law. These in- 
clude the adoption of several Directives on passenger ferries that were adopted 
in the wake of the Herald of Free Enterprise and, a few years later, the Estonia 
disasters where hundreds of people perished due to mechanical failures. The oil 
spills when the tankers Erika and, more recently Prestige, stranded off the coast 
of France, have also had a significant impact on the development of European 
Community law in the field of maritime transport. [2] 

One of the lessons learned from past disasters is that a provision for in- 
formation pertaining to the number of people on board, the location of the ves- 
sels and/or polluting or dangerous goods can help to prevent pollution and 
facilitate search and rescue of ships in distress.[3] Systems for such notifica- 
tions have in fact been in force for decades. Many of these systems have been 
established by international treaties under the auspices of the IMO. 

Applicability of International Conventions to undertakings and individ- 
uals, however, is limited in many jurisdictions, where they have to be imple- 
mented into national legislation before they can be enforced. This lack of direct 
effect and direct applicability of International Law in dualistic national juris- 
dictions has, in Europe, led to related but discordant sets of rules in different 
Member States. 


Vessel traffic monitoring and information systems in the EU 
and the Traffic Monitoring Directive 


Several mandatory ship reporting systems have been set up along Europe's 
coasts in accordance with the relevant conventions by the IMO. Shippers have 
also been required to transmit information to coastal stations and harbors for 
years under Community law.[4] Many of these notification requirements, and 
a few additional new ones, have now been consolidated in a single directive, 
Directive 2002/59/EC of the European Parliament and of the Council of 27 
June 2002 establishing a Community vessel traffic monitoring and informa- 


486 








tion system and repealing Council Directive 93/75/EEC, which shall be re- 
ferred to hereinafter as the Traffic Monitoring Directive. [5] 


Aim of the Traffic Monitoring Directive 


The European Commission indicated in 1993 that one objective at Commu- 
nity level was the introduction of a mandatory information system to give 
Member States access to all important information related to the movement of 
ships carrying dangerous or polluting materials and to the precise nature of 
their cargo. [6] This objective was realized by the adoption of the Traffic Mon- 
itoring Directive which mandates the introduction of a pan-European infor- 
mation portal for ships. The objectives of the Directive are set out in Article 1 
as below: 


“The purpose of this Directive is to establish in the Community a 
vessel traffic monitoring and information system with a view to en- 
hancing the safety and efficiency of maritime traffic, improving the 
response of authorities to incidents, accidents or potentially danger- 
ous situations at sea, including search and rescue operations, and con- 
tributing to a better prevention and detection of pollution by ships.” 


The European Union has therefore adopted a regional monitoring and in- 
formation system that will affect most European waters and the Northern-At- 
lantic. Shipping is an international undertaking by nature and these regional 
rules are linked to the work within the IMO but there are several differences. 
Some related to substance and other to enforceability. [7] 

Article 23 of the Directive provides that the Commission and the Mem- 
ber States shall cooperate to achieve certain objectives. These include the com- 
puterized exchange of data between Member States in a single system which 
has generally been referred to as SafeSeaNet. The concept of SafeSeaNet has 
not, however, been defined yet but a proposal for a new Directive makes an at- 
tempt to define it as “the Community maritime information exchange system 
developed by the Commission in cooperation with the Member States to ensure 
the implementation of Community legislation”. [8] 

Even though the SafeSeaNet is being developed by the Commission, its 
operation has been delegated to the European Maritime Safety Agency 
(EMSA). The Agency offers services that need to be provided on a '24- hour a 
day basis' and includes: the operation and helpdesk of SafeSeaNet and direct 
assistance in case of an emergency, real time information regarding serious 
maritime accidents, liaison services for Member States to charter the contracted 
oil recovery vessels after a serious oil spill and the provision of satellite im- 
agery and further analysis, as satellite information is being received around the 
clock. 


487 


Furthermore, Member States are obliged to develop and maintain the 
necessary infrastructure to enable transmission, reception and conversion of 
data between systems using XML or EDIFACT syntax, based on Internet or 
X.400 communication facilities. [9] The process of putting into place all the 
necessary equipment and shore-based installations shall be completed by the 
end of 2007. [10] Member States shall ensure that the appropriate equipment 
for relaying the information to and exchanging it between the national systems 
shall be operational at the latest one year thereafter. Full implementation should 
be completed by 2009. [11] 


What should be notified, how and by whom? 


The Traffic Monitoring Directive applies to ships of 300 gross tonnage and up- 
wards, unless stated otherwise. It therefore applies to most ships in interna- 
tional shipping. Exemptions are listed in Article 2 and encompass warships, 
naval auxiliaries and other ships owned or operated by a Member State and 
used for non-commercial public service, fishing vessels, traditional ships and 
recreational craft with a length of less than 45 meters and bunkers below 5000 
tons, ships' stores and equipment for use on board ships.[12] 

The information the operator, agent or master of ship is obliged to pro- 
vide includes a notification of information to the port authority prior to entry 
into ports, provision of information when ships enter into the area of manda- 
tory ship-reporting systems, automatic identification and voyage data recorder 
systems. Furthermore, certain information shall be provided when ships car- 
rying dangerous or polluting goods leave port. These rules apply to ships re- 
gardless of size. The master of a ship is obliged to report on incidents and 
accidents at sea as further described in the Traffic Monitoring Directive. [13] 

Further descriptions of what has to be notified can be found in Annexes 
to the Traffic Monitoring Directive, which are similar to many International 
Conventions such as SOLAS. These requirements, however, are part of Com- 
munity law and stand independent of developments in international forum. As 
this could incur the risk of discrepancies between International Law and the Di- 
rective, it provides for a specific Comitology procedure. This procedure en- 
ables the Commission to amend the Annexes in order to bring them into line 
with Community or International Law insofar as such amendments do not 
broaden the scope of the Directive. [14] 

Operators are required to install on-board equipment compatible with 
pan-European specifications to fulfill these requirements and Member States 
shall carry out regular inspections and any other actions required to check the 
functioning of the shore-based telematic systems, in particular their capacity to 
meet the requirements for receiving or sending without delay, 24-hours a day, 
information about dangerous or polluting goods. [15] 


488 








It is the operator, agent or master who should notify the information. 
The requirement to notify is therefore rather broad and it should be considered 
who would be liable in case none of the above comply with the notification re- 
quirements. The Traffic Monitoring Directive does not stipulate these in itself. 
The obligation to notify the carriage of dangerous or polluting goods on board 
ships (HAZMAT) appears to lie with the shipper, who should inform the mas- 
ter of the ship or its operator. The operator, agent or master of the ship must 
communicate the cargo information to the port authority or the competent au- 
thority. [16] 


Consequences of non-compliance 


Article 25 of the Traffic Monitoring Directive provides that Member States 
shall lay down a system of sanctions for the breach of national provisions 
adopted pursuant to the Directive and shall take all the measures necessary to 
ensure that those sanctions are applied. The sanctions thus provided shall be ef- 
fective, proportionate and dissuasive. The Directive also has more specific pro- 
visions for the situation when a Member State finds that, on the occasion of an 
incident or accident at sea referred to in Article 19 of the Directive, the com- 
pany has not been able to establish and maintain a link with the ship or with the 
coastal stations concerned, it shall so inform the State which issued the ISM 
document of compliance and associated safety management certificate, or on 
whose behalf it was issued. 

Where the seriousness of the failure shows the existence of a major in- 
cidence of non-compliance in the functioning of the safety management sys- 
tem of a company established in a Member State, the Member State which 
issued the document of compliance or safety management certificate to the 
ship shall immediately take the necessary measures against the company con- 
cerned with the view to having the document of compliance and the associ- 
ated safety management certificate withdrawn. 

These provisions should be seen in the context of Directive 2005/35/EC 
of the European Parliament and of the Council of 7 September 2005 on ship- 
source pollution and on the introduction of penalties for infringements and 
Council framework decision 2005/667/JHA of 12 July 2005 to strengthen the 
criminal-law framework for the enforcement of the law against ship-source 
pollution. Both these Acts have been disputed in the Court of Justice of the 
European Communities. The framework decision was disputed for its allegedly 
incorrect legal basis. The Commission is of the opinion that it should be Arti- 
cle 82(2) EU relating to the common transport policy of the Community but not 
title VI of the Treaty on the European Union which has to do with police and 
cooperation in judicial matters. This is a fundamental question which has to do 


489 


with the distribution of competences between the first and the third pillars of 
the EU as well as between the Community and the Member States in the area 
of criminal law and is therefore of truly constitutional significance. [17] The 
Court of Justice has now decided, by a judgment of 23 October 2007, to annul 
the Framework Decision. The Court observed that several provisions of the 
Decision were designed to ensure the efficacy of the rules adopted in the field 
of maritime safety, non-compliance with which may have serious environ- 
mental consequences, by requiring Member States to apply criminal penalties 
to certain forms of conduct. Those articles were regarded by the Court as being 
essentially aimed at improving maritime safety, as well as environmental pro- 
tection, and could have been validly adopted on the basis of Article 80(2) EC. 
However, by contrast, the Court observed that the determination of the type 
and level of the criminal penalties to be applied does not fall within the Com- 
munity’s sphere of competence. The Court noted that Framework Decision 
2005/667/JHA, in encroaching on the competence which Article 80(2) EC at- 
tributes to the Community, infringes Article 47 EU and, being indivisible, must 
be annulled in its entirety. [18] 

The latter disputed Act, Directive 2005/35/EC, has also been referred to 
the Court of Justice. In a reference to a preliminary ruling by the High Court 
of Justice (England & Wales), the Court of Justice is essentially asked whether 
Articles 4 and 5 are invalid insofar as they limit certain exceptions in Annexes 
to the MARPOL. [19] 


Which state has the jurisdiction? 


General provisions about the jurisdiction of States in criminal matters are sub- 
ject to International Law with UNCLOS being the most important as regards 
marine environment. The Convention provides for a limited jurisdiction of the 
coastal State within its Exclusive Economic Zone (EEZ), e.g. concerning pol- 
lution of the marine environment. These principles should, in theory, be en- 
shrined in national legislation of the EU Member States, including their penal 
codes, but they have been applied differently. Therefore, the Community 
adopted the Council Framework Decision 2005/667/JHA. 

Article 7 of the now annulled Council Decision provides that each Mem- 
ber State shall take the measures necessary to establish its jurisdiction, so far 
as permitted by International Law. This can include offenses in its territory, 
EEZ, on board of a ship flying its flag regardless of location, offenses by one 
of its nationals, or offenses committed for the benefit of a legal person with a 
registered office in its territory. Offenses committed outside the State's own 
territory can even be within its jurisdiction if it has caused or is likely to cause 
pollution within its territory or its economic zone, and the ship is voluntarily 


490 








within a port or at an offshore terminal of the Member State. Offenses com- 
mitted on the high seas can also fall under the jurisdiction of a Member State 
if the ship is voluntarily within a port or at an offshore terminal of the Mem- 
ber State. When an offense is subject to the jurisdiction of more than one Mem- 
ber State, the relevant Member States shall strive to coordinate their actions 
appropriately. Article 7 does not mandate the type and level of criminal penal- 
ties and appears to be within Community competence. It is likely, therefore, 
that future Community legislation based on Article 80 EC will stipulate for ju- 
risdiction in such cases as have been mentioned above. 

Community legislation does have a Port State Control system pursuant 
to Council Directive 95/21/EC on port State control of shipping which can be 
relied on in case ships enter Community waters. [20] Port State Control ap- 
plies to any ship and its crew calling at a port of a Member State or at an off- 
shore installation, or anchored off such a port or such an installation, regardless 
of its flag. The requirements that any ship within the EU Waters can be ex- 
pected to comply with are listed in Article 2 of the Directive and encompass 
several IMO and ILO Conventions. LRIT and AIS are, or will be, mandated by 
these Conventions. Any ship could therefore become subject to increased 
scrutiny when in Community waters or be retained by national authorities if it 
does not comply with these Conventions. On the opposite view, this entails 
that the Member States are not able to require non-EU ships to comply with EU 
requirements except if they have been mandated by these Conventions and 
listed in the Directive. 


Protection of personal data 


The information exchanged within the SafeSeaNet can be of various types, 
both concerning the ship, its journey, cargo and registration and persons on- 
board. The data processing has aims both related to Safety and Security. In 
practice it is safe to say that the issuance of personal data has caused ambigu- 
ity. Some EU Member States have questioned whether the network is suffi- 
ciently secure, or whether third parties could extract commercial information 
out of the system at the expense of the data subject. Article 24 of the Traffic 
Monitoring Directive requires Member States, in accordance with their na- 
tional legislation, to take the necessary measures to ensure the confidentiality 
of information sent to them pursuant to the Directive. 

The Commission had not intended to change Article 24 but the Euro- 
pean Parliament has proposed changes, which read: 


“Member States shall, in accordance with their national legislation, 
verify that AIS and LRIT data transmitted by ships is not being made 


491 


publicly available or used for purposes other than safety, security 
and the protection of the environment, or which would affect compe- 
tition between ship operators. In particular, they shall not authorize 
the public dissemination of information concerning the details of the 
cargo or of the persons on board, unless the master or the operator 
of the vessel has agreed to such use.” [21] 


Regardless of whether the amendments suggested by the Parliament will 
be adopted at a later stage or not, it is difficult to say which standard for pro- 
tection of information should be applied for data disseminated into SafeSeaNet 
as the level can differ between Member States. However, the processing of in- 
formation that can be described as personal data has been harmonized within 
the EEA and should be the same in all countries. Directive 95/46/EC of the Eu- 
ropean Parliament and of the Council of 24 October 1995 on the protection of 
individuals with regard to the processing of personal data and on the free 
movement of such data requires Member States to protect the fundamental 
rights and freedoms of natural persons and in particular their right to privacy 
with respect to the processing of personal data. Personal data shall mean any 
information relating to an identified or identifiable natural person. But the Di- 
rective has a much too narrow scope to provide satisfactory answer about 
which rules should apply to the handling of information pursuant to the Traf- 
fic Monitoring Directive. Consider this. 

The Data Protection Directive applies to individuals’ only but traffic 
data in SafeSeaNet would not necessarily be personal data. Its scope, however, 
is limited in another way, even if data is deemed to be a personal data pursuant 
to the Directive, as it does not cover security and criminal matters. Traffic data 
which is personal data e.g. in relation to criminal investigation, would there- 
fore be outside its scope.[22] It can therefore be difficult to establish which 
principles should apply to processing of information into SafeSeaNet. 

The preamble to the Traffic Monitoring Directive stipulates for cooper- 
ation with third countries. Has such transfer of information to comply with Ar- 
ticle 25 of the Data Protection Directive about transfer of personal data to third 
countries? That is possibly not the case. The Court concluded in Bodil Lindqvist 
that there is no ‘transfer of data to a third country' within the meaning of Arti- 
cle 25 of the Data Protection Directive where an individual in a Member State 
loads personal data onto an internet page which is stored on an internet site on 
which the page can be consulted and which is hosted by a natural or legal per- 
son who is established in that State or in another Member State, thereby mak- 
ing that data accessible to anyone who connects to the internet, including 
people in a third country. [23] SafeSeaNet is based on standard Internet tech- 
nology and supports communication over TCP/IP and the European informa- 


492 








tion exchange network TESTA. Ironically, it could also exclude transfer of per- 
sonal data to third countries from the cumbersome rules of the Data Protection 
Directive, that the data is processed for purposes outside the scope of the Data 
Protection Directive, e.g. activities provided for by Titles V and VI of the 
Treaty on European Union, and in any case processing operations concerning 
public security, defense, State security and the activities of the State in areas 
of criminal law. [24] 

The EU has adopted several decisions within the second and third pil- 
lars about how to ensure data protection for the purposes of criminal investi- 
gation, security or other aims outside the scope of the Data Protection 
Directive. These decisions require Member States to ensure a certain level of 
confidentiality. It should be noted that the EU Member States are all parties to 
the European Convention of Human Rights which should always provide in- 
dividuals with a minimum of rights of privacy and due process. [25] 


Future of SafeSeaNet 


The list of information to be notified according to the Traffic Monitoring Di- 
rective is to be found in Annex I and the on-board equipment is described in 
Annex II. That list is about to be expanded as the IMO has decided to make 
LRIT mandatory for vessels.[26] The European Commission has, therefore, 
proposed that Annex to the Traffic Monitoring Directive should be updated ac- 
cordingly to include LRIT. The EU, however, intends to establish European 
Union LRIT Data Centres (MSC 82/8/11) instead of participating in a global 
system. 

The European Commission, on 10 October 2007, announced a Com- 
munication on an integrated Maritime Policy for the European Union. This 
Communication proposed actions in the field of maritime surveillance which 
includes improved cooperation between Member States’ Coastguards and ap- 
propriate agencies. Steps will be taken towards a more interoperable surveil- 
lance system to bring together existing monitoring and tracking systems. A 
Commission Staff working document indicates that these systems might in- 
clude Operational Cooperation at the External Borders of the Member States 
of the EU (FRONTEX), European Patrols network (EPN), European Border 
Surveillance System (EUROSUR), Space applications under GMES-Security, 
etc. In addition to this it appears possible that criminal law in relation with en- 
vironmental protection will increasingly be dealt with on the basis of the Com- 
munity's transport policy pursuant to Article 80(2) EU. 

While ship-owners do not seem to have a strong position on SafeSeaNet, 
European Ports seem to be rather skeptical. It is guessed, therefore, that any fur- 
ther developments will be driven by public authorities. 


493 


Considerations in relation to the EEA EFTA States 


The Traffic Monitoring Directive was adopted into the EEA Agreement by JCD 
No 13/2003 and is referred to in Annex XIII of the Agreement.[27] The Di- 
rective has been implemented into national legislation of Iceland and Nor- 
way.[28] Maritime Directorates of the two countries are actively participating 
in the SafeSeaNet and Norway has a role in developing the system. There are, 
however, certain discrepancies in the legal framework encircling traffic mon- 
itoring within the EEA. These issues relate to the differences in scope of the 
three pillars of the EU on the one hand, and the EEA Agreement on the other, 
which generally excludes from its scope justice and home affairs and foreign 
and security policy of the EU. 

Enforcement of the legal framework for the prevention of pollution, that 
is now being disputed in the Court of Justice, and certain Community acts per- 
taining to cooperation in police and judicial affairs are not part of the EEA 
Agreement and, perhaps, will never be. Directive 2005/35/EC on ship-source 
pollution and on the introduction of penalties for infringements is not labeled 
EEA-relevant, neither is the, now annulled, Council Decision (EC) 667/2005, 
to strengthen the criminal-law framework for the enforcement of the law 
against ship-source pollution. Whether these rules, or comparable measures in 
the future, will become part of the EEA Agreement depends on the legal basis. 
If it turns out that the legal basis is Article 80(2) EC but not in police and ju- 
dicial cooperation in criminal matters, it seems pertinent that these principles 
will become part of the EEA Agreement. Polluters are, however, not free from 
possible prosecution as Norway and Iceland are parties to all the major inter- 
national treaties on prevention of pollution and have introduced sanctions in 
their penal codes and sector specific legislation to punish such violations. 

SafeSeaNet is an information exchange system to ensure the imple- 
mentation of Community legislation in a broad context. If some of that legis- 
lation is not part of the EEA Agreement, it could mean that the EFTA States, 
Iceland and Norway, would not participate in all aspects of the information ex- 
change. 


Conclusions 


There has been rapid development of traffic monitoring systems in the Inter- 
national and European context of late. This development has been driven for 
the purposes of maritime security, Search and Rescue (SAR), maritime safety 
and protection of the marine environment - all issues which have been gaining 
the increased attention of regulators - especially maritime security. 

The development of these networks is on-going and still faces several 


494 








challenges that relate to varying effectiveness of national administrations, skep- 
ticism about further European integration and concerns about the security of in- 
formation exchanged over the network. Some undertakings that will be affected 
by these rules stress the importance of universal standards but have doubts 
about European legislation that diverges from what is being stipulated for in In- 
ternational Conventions. It appears, however, that further harmonization is 
likely as the European Commission will be able to rely on a “hard core” legal 
basis in future legislative proposals instead of more vague provisions in the 
second and third pillars of the EU Treaty where it has no competence. It also 
appears from most recent Communications from the European Commission 
that these information systems will affect much broader issues than the Traf- 
fic Monitoring Directive currently does. 

Introduction of the systems discussed above will not be without signif- 
icant costs. The Member States will of course have to invest in equipment 
within their territory and contribute to common costs in running the central fa- 
cilities. The bulk of the cost, however, will be borne by private undertakings, 
including harbors, which claim that they might have to make considerable in- 
vestments in equipment, reconfigure their IT-systems and devote manpower 
to handling exchange of information. Nevertheless, there appears to be a com- 
mon understanding that a one-stop-shop, relaying on electronic communica- 
tions in a single network, is the future. 


Notes: 


[1] Short description of the applicable IMO Conventions can be found at: 
http://www.imo.org/ 

[2] These disasters have been mentioned in a number of Community Acts, including pre- 
amble to Directive 98/41/EC and in jurisprudence, including Case C-440/05 Commission 
v. Council and thereby influencing interpretation. 

[3] See, Council Directive 98/41/EC of 18 June 1998 on the registration of persons sailing 
on board passenger ships operating to or from ports of the Member States of the Commu- 
nity was adopted on those premises. 

[4] These ship reporting systems have largely been outside the scope of Community law. 
However, several Community acts suggest the existence of such obligations e.g. Council 
Directive 97/70/EC of 11 December 1997 setting up a harmonised safety regime for fish- 
ing vessels of 24 metres in length and over, concerning radio-communications pursuant to 
the Torremolinos Protocol and Council Directive 93/75/EEC of 13 September 1993 con- 
cerning minimum requirements for vessels bound for or leaving Community ports and car- 
rying dangerous or polluting goods. 

[5] See, Directive 2002/59/EC of the European Parliament and of the Council of 27 June 
2002 establishing a Community vessel traffic monitoring and information system and re- 
pealing Council Directive 93/75/EEC, OJ L 208, 5.8.2002, p. 10-27. 

[6] See, Preamble to Directive 2002/59/EC. 

[7] MARPOL can impose liability for certain polluting acts but these rules have now been 


495 


imposed as well by Directive 2005/35/EC of the European Parliament and of the Council 
of 7 September 2005 on ship-source pollution and on the introduction of penalties for in- 
fringements, OJ L 255, 30.9.2005, p. 11-21. 

[8] See, Proposal for a Directive of the European Parliament and of the Council amending 
Directive 2002/59/EC establishing a Community vessel traffic monitoring and information 
system {SEC(2005) 1514} 2005/11/23 and 2005/0239 (COD) 

[9] See, Annex III to Directive 2002/59/EC. 

[10] See, Article 9 to Directive 2002/59/EC. 

[11] Article 26. 

[12] Article 2. 

[13] Article 17. 

[14] Article 27. Comitology procedure 

[15] Article 13 and Annex III 

[16] Article 13 

[17] See, Case C-440/05 Commission of the European Communities v Council of the Eu- 
ropean Union, Opinion of advocate general Mazak delivered on 28 June 2007, unpublished. 
[18] See, Case C-440/05 Commission of the European Communities v Council of the Eu- 
ropean Union, Judgement of the Court delivered on 23 October 2007, paragraphs 69-71 
and 74, unpublished. 

[19] See, Case C-308/06, Reference for a preliminary ruling from High Court of Justice 
(England & Wales), Queen's Bench Division (Administrative Court) made on 14 July 2006 
— The Queen on the application of The International Association of Independent Tanker 
Owners (Intertanko), The International Association of Dry Cargo Shipowners (Intercargo), 
The Greek Shipping Co-operation Committee, Lloyd's Register, The International Salvage 
Union v Secretary of State for Transport, (2006/C 261/17). 

[20] See, Council Directive 95/21/EC of 19 June 1995 concerning the enforcement, in re- 
spect of shipping using Community ports and sailing in the waters under the jurisdiction 
of the Member States, of international standards for ship safety, pollution prevention and 
shipboard living and working conditions (port State control), OJ L 157, 7.7.1995 (It has 
been amended on several occasions). 

[21] P6_TA(2007)0146, European Parliament legislative resolution of 25 April 2007 on 
the proposal for a directive of the European Parliament and of the Council amending Di- 
rective 2002/59/EC establishing a Community vessel traffic monitoring and information 
system (COM(2005)0589 — C6-0004/2006 — 2005/0239(COD)) 

[22] See, Joined Cases C-317/04 and C-318/04 European Parliament v Council of the Eu- 
ropean Union, unpublished. 

[23] See, Case C-101/01 Lindqvist [2003] ECR I-12971. 

[24] See, Joined Cases C-317/04 and C-318/04 European Parliament v. Council of the Eu- 
ropean Union, unpublished. 

[25] See, Articles 6 and 8 of the European Convention for the Protection of Human Rights 
and Fundamental Freedoms, signed in Rome on 4 November 1950. 

[26] The IMO Maritime Safety Committee (MSC) decided in 2006 to adopt amendments 
to SOLAS to make LRIT mandatory for all vessels. LRIT is an acronym for Long Range 
Identification and Tracking equipment that can be installed in ships. The MSC decided that 
LRIT should be installed in ships constructed on or after 31 December 2008. Ships that are 
constructed before 31 December 2008 should also have LRIT if they are certified for op- 
eration in sea areas Al, A2 and A3. The IMO has, in that regard, adopted regulation V/19- 
1 of the International Convention for the Safety of Life at Sea, 1974 (SOLAS) relating to 
the long-range identification and tracking of ships (LRIT). 


496 








[27] See, Decision of the EEA Joint Committee No 13/2003 of 31 January 2003 amending 
Annex XIII (Transport) to the EEA Agreement, OJ L 94, 10.4.2003, p. 67—68. 

[28] In Iceland it has been implemented by Regulation No. 672/2006 on a maritime sur- 
veillance body and vessel traffic surveillance and in Norway by Act of 8 June 1984 No. 51 
relating to harbors and Fairways, Act of 13 March 1981 No. 6 relating to protection against 
pollution and relating to waste, Act of 14 April 2000 No. 31 relating to handling of personal 
data, Regulation of 16 June 1999 No. 727 - Krav til melding og utfylling av kontrolliste ved 
fartoyeres transport avfarlig eller forurensende last (on reporting formalities for ships car- 
rying dangerous and hazardous goods), Regulation 2 April 1987 No. 231 - Rapportering av 
hendelser til sjøs (on reporting of incidents at sea), Regulation 15 September 1992 No. 701 
- Navigasjonshjelpemidler- og bro-, styrehus- og radioarrangementer for skip (on naviga- 
tional aids, bridge- and radioarrangements for ships), Regulation 13 June 2000 No. 660 om 
konstruksjon, utstyr, drift og besiktelser for fiske- og fangstfartey med største lengde pa 15 
meter og derover (on construction, equipment, operation of and survey on fishing- and 
hunting vessels from 15 meters and over) and Regulation amending Regulation of 15 Sep- 
tember 1992 No. 701 concerning Navigational Aids and Arrangements on the Bridge and 
in the Wheelhouse, and Communication Equipment in the Wheelhouse of Ships. 


References 


1. | The European Commission, Proposal for a Directive of the European Parliament and 
of the Council amending Directive 2002/59/EC establishing a Community vessel traf- 
fic monitoring and information system {SEC(2005) 1514} 2005/11/23 

2. European Maritime Safety Agency, SafeSeaNet Bulletin nO <5 — April 2007. 

3. Kystverket, Users Guide for the SafeSeaNet System in Norway, Version 1.1 Eng, 

Haugesund, 2006. 

4. Case C-440/05 Commission of the European Communities v Council of the Euro- 
pean Union, unpublished. 

5. European Commission, Commission Staff Working Document accompanying docu- 
ment on the Communication from the Commission to the European Parliament, the 
Council, the European Economic and Social Committee and the Committee of the 
Regions, An Integrated Maritime Policy for the European Union, SEC(2007) 1278. 

6. European Commission, Communication from the Commission to the European Par- 
liament, the Council, the European Economic and Social Committee and the Com- 
mittee of the Regions, An Integrated Maritime Policy for the European Union, 
COM(2007) 575 final. 

7. The United Kingdom Parliament, 10 Management of the EU's southern maritime bor- 

ders, Sixth Report, Committee on European Scrutiny, House of Commons, 

(28109)16126/06 COM, (06)733. 

European Community Shipowners' Association, ECSA Newsletter, No 5/07. 

9. European Sea Ports Organisation, ESPO note regarding developments in the field of 
vessel traffic monitoring and ship reporting in relation to SafeSeaNet, September 
2007. 

10. European Commission, Green paper, Towards a future Maritime Policy for the Union: 
A European vision for the oceans and seas- "How inappropriate to call this planet 
Earth when it is quite clearly Ocean" attributed to Arthur C. Clarke, COM(2006) 275 
final, Brussels, June 7, 2006. 














oo 


497 


Appendix 


IMO 
SOLAS 
STCW 


COLREGS 


MARPOL 


IAMSAR 


UNCLOS 
SafeSeaNet 


EMSA 
XML 
EDIFACT 


X.400 


HAZMAT 
EEZ 
TCO/IP 


TESTA 
LRIT 

AIS 
FRONTEX 


EPN 
EUROSUR 
GMES 


International Maritime Organization 

Safety of Life at Sea Convention 

International Convention on Standards of Training, Certification and 
Watchkeeping for Seafarers 

Convention on the International Regulations for Preventing Colli- 
sions at Sea, 1972 

International Convention for the Prevention of Pollution from Ships, 
1973, as modified by the Protocol of 1978 relating thereto (MAR- 
POL 73/78) 

International Aeronautical and Maritime Search and Rescue Con- 
vention 

United Nations Convention on the Law of the Sea 

European electronic reporting- and information system for vessel 
traffic 

European Maritime Safety Agency 

Extensible Markup Language 

United Nations/Electronic Data Interchange For Administration, 
Commerce, and Transport 

Suite of ITU-T Recommendations that define standards for Data 
Communication Networks for Message Handling Systems (MHS) 
Hazardous Material 

Exclusive Economic Zone 

Protocol suite, which is named after two of the most important pro- 
tocols in it: the Transmission Control Protocol (TCP) and the Inter- 
net Protocol (IP) 

Trans European Services for Telematics between Administrations 
Long Range Identification and Tracking 

Automatic Identification System 

Operational Cooperation at the External Borders of the Member 
States of the EU 

European Patrols network 

European Border Surveillance System 

Global Monitoring for Environment and Security 


498 








Revisiting Network Neutrality 


Rebecca Wong Daniel B.Garrie, JD Daniel W. Loewenherz 


Senior Lecturer in Law Editor-in-Chief P.O.Box 200701 
Nottingham Law School Journal of Legal Technology New Haven 
Burton Street, NGI 4BU Risk Management CT 06520 

United Kingdom 4580 Klhanie Dr. SE USA 
Suite 161 Issaquah, WA 
98029,USA 


Abstract. The paper discusses the topical subject of network neu- 
trality, from a US and European legal perspective. The article will begin 
by first defining network neutrality before addressing the underpinning 
technology and will then compare the legal approaches adopted by Eu- 
rope and the U.S. In Europe, there is an existing electronic communica- 
tions regulatory framework which can be used to address the network 
neutrality problem which renders any further legislation unnecessary 
and perhaps detrimental to the current framework. In the US, however, 
the main concern arising is a potential for a “fragmented” Internet, which 
leads us to conclude that network neutrality legislation is necessary on 
multiple levels. The article will conclude that the US stance on network 
neutrality legislation will cause a seismic shift in the way we view tech- 
nology and the way that networks are accessed and utilised. 


Keywords: Network neutrality; Access and Interconnection Directive; network oper- 
ators, Privacy 


Biographical Notes: Dr Rebecca Wong is Senior Lecturer in Law at Nottingham Law 
School, Nottingham Trent University with teaching and research interests in Tort, In- 
tellectual property, Data Protection and Cyber law. Her main areas of specialism are 
in data protection and privacy. She holds an LLB (1998), MSc (2000), LLM (2001), 
PCHE (2004) and has recently completed her PhD (University of Sheffield, 2007) in 
data protection. Her recent publications have included Data Protection Online: Alter- 
native approaches to sensitive data, 2007, International Journal of Commercial Law 
and Technology, 2(1) 9-16 (reprinted in Journal of Internet Law, March 2007 and 
ICFAI Cyberlaw, May 2007) and “Demystifying clickstream data: a European and US 
perspective” in Emory International Law Review 20(2), 563-590 (2006). 

Daniel Garrie holds a MA and BA in Computer Science from Brandeis University and 
a JD from Rutgers School of Law. Mr. Garrie specializes in legal technology risk ma- 
nagement. He consults primarily to in-house counsel and IT departments on informa- 
tion management strategies in the United States and internationally, e-policy guidance 
synchronization (policies and operations), e-discovery litigation risk management and 
legal technology strategies, integration, and best practices. Mr. Garrie is admitted to 
practice law in New York and New Jersey, and currently serves as editor-in-chief of the 
Journal of Legal Technology Risk Management. 


499 


Daniel W. Loewenherz is currently a junior at Yale University, pursuing a B.A. degree 
in Economics and Mathematics. Following graduation from Yale in Fall 2008, he plans 
to matriculate into law school and pursue interests in international law. His academic 
interests include financial modeling, programming, and stochastic processes as applied 
to human behavior. He is a regular programming competitor on TopCoder.com and se- 
cured a third-place finish at the 2005 ACSL International Programming Tournament. 
He is currently researching the state of agricultural insurance and financial derivatives 
in the People’s Republic of China. 


1. Introduction 


While network neutrality has been the subject of heated debate in the US, the 
topic has received far less global attention. In this paper, the authors explore ne- 
twork neutrality from a European and US standpoint, with particular focus on 
the international implications arising from the US stance on network neutrality 
legislation. 

The paper is divided into four sections. The first section will examine the 
notion of network neutrality as defined by Wu and Berners Lee and define the 
scope of “network neutrality” as it relates to this paper. The second and third 
sections will discuss the current European and US legal frameworks. The dif- 
ferences in network infrastructure are examined in light of the contrasting legal 
frameworks in the US and Europe. 


2. Network Neutrality 


In this paper, we use the term “network neutrality” to apply to the provision of 
Internet applications and services by Internet service providers (ISPs), in the 
context of wireless (cell-phones and PDAs) and wired communications. [1] 
Providers should be restricted from blocking services and software from end 
users. 

In addition, legislative measures are unduly cumbersome upon enforce- 
ment authorities such as the FCC and other telecommunication authorities 
which lack sufficient network-monitoring resources. 

How do regulators monitor ISPs that operate outside US borders and 
block applications originating from the US? Irrespective of whether this is also 
a European problem, networks are not confined by borders.[[2] 


2.1 Arguments Made for Legislation on US Network Neutrality 


2.1.1 Consumer choice 


The underlying rationale submitted by authors such as Wu and Lessig is that 


500 








companies that restrict services deprive or degrade consumers’ experiences 
and services. Wu argues that “blocking [services] can keep a better or cheaper 
product (VoIP) from coming to market at all, and often it can prevent such 
products from being offered in an effective form.” 


2.1.2. Public and private property 


Broadband connections are a public resource and should be used to convey 
data irrespective of its origination. Consumers are entitled to resources on the 
Internet without interference from their broadband providers. 


Privacy of Communications [3] 


Communications privacy is an important issue for end-users, particularly if 
they want to be able to decide whether Internet services are blocked by their 
ISP. Any monitoring of web pages accessible by individuals should be limited 
to what is necessary and in accordance with the European Data Protection 
Framework (European Data Protection Directive 95/46/EC and Directive on 
Privacy and Electronic Communications 2002/58/EC). Transparency is needed 
on the part of network operators if the privacy of users’ web browsing activi- 
ties is to be maintained. 


3. E.U. Legal Framework 
3.1. New Regulatory Framework for Electronic Communications 


The EU regulatory framework is comprised of five main Directives. [4] The ap- 
proach by the Directorate of Information Society is to take a liberal view to 
telecommunications such that it is left to the “undertaking” to negotiate inter- 
connection agreements. 

The Interconnection Directive applies to networks carrying publicly 
available communications services, including fixed and mobile telecommuni- 
cations networks. It does not apply to web-based content, [5] but rather to ISPs. 

The main provision to note is that which imposes a greater responsi- 
bility upon NRAs to ensure access and interconnectivity. Article 5 of the Di- 
rective delineates the powers and responsibilities of the NRAs concerning 
access and interconnection. This provision provides that NRAs shall ‘encour- 
age and where appropriate ensure, in accordance with the provision of this 
Directive, adequate access and interconnection, and interoperability of serv- 
ices, exercising their responsibility in a way that promotes efficiency, sustain- 
able competition, and gives maximum benefit to end-users’ (emphasis added). 

If an operator is found to have SMP (at wholesale level), [6] then the 
NRA can, under the Interconnection and Access Directive, impose the follow- 
ing obligations: 


501 


e Transparency obligations (Art. 9) 

e Non-discrimination obligations (Art. 10) 

e Accounting separation obligations (Art. 11) 

e Obligations requiring mandatory access to be granted to specific net- 
work facilities (Art. 12) 

e Price control and cost accounting obligations (Art. 13) 


Article 12 is relevant because NRAs can impose obligations on opera- 
tors to meet reasonable requests for access to, and use of, specific network el- 
ements. 

For non-SMP operators, Article 5(1) (a) of the same Directive may 
come into play with NRAs taking a greater responsibility to ensure connectiv- 
ity to end-users. It is interesting to note the emphasis placed under the Direc- 
tive upon NRAs to ensure that consumers are not disadvantaged if access 
tiering should occur between network providers. 

A further point to add is that unlike in the US, the broadband market 
in the UK [7] is such that consumers can easily switch from one network op- 
erator to another. In the latest report [8] published by Ofcom, approximately 
69% of UK Internet users surveyed thought it would be easy to switch Inter- 
net service providers. This flexibility was further reinforced by rules regarding 
broadband migrations between different ISPs, introduced by Ofcom on 14 Feb- 
ruary 2007[9].All in all, it is unlikely that consumers would tolerate discrimi- 
nation between service providers by their network operators. 10] 

Finally, it should be added that Regulation 2887/2000[11], stipulates 
that access can only be refused on the basis of technical infeasibility or the 
need to maintain network integrity. The Regulation also requires the incumbent 
operators to offer shared access [12] and sub-loop unbundling. 

At the time of writing, the European Commission has indicated (in its 
recent communication) that it will monitor legal developments of network neu- 
trality in the US, yet whether anything will transpire on this front is still unclear. 
The prevailing view is that the existing European legislative framework is suf- 
ficient to deal with conflicts arising between network and cable providers, and 
therefore does not need to call for the types of regulations anticipated in the US. 
Despite this, whether the existing regulation will be sufficient to deal with overt 
discrimination between broadband providers and application providers is still 
unclear. 


3.2. UK: Communications Act 2003 


The national regulatory authority in the UK, Ofcom, took the view that the ex- 
isting regulatory framework does not necessitate further network neutrality 
regulation. 

The echoes from Ofcom highlight the concerns over reasons why fur- 
ther regulation is not considered necessary. The current EU and UK regulatory 


502 








framework already provides for remedies against SMP network operators that 
charge for prioritising, blocking, or degrading traffic. Ofcom acknowledges 
that “network neutrality rules could be developed as an iteration of the exist- 
ing non-discrimination rules.” 

Market power is elaborated under sec. 79 of the Communications Act 
of 2003, whereby Ofcom would have to identify the markets and carry out an 
analysis, taking into account the guidelines by the European Commission. 

Can the UK Communications Act 2003 guarantee user end-to-end con- 
nectivity? A useful example is to consider BT and Kingston, whereby its pre- 
decessor, Director of Oftel, has been able to impose obligations on BT and 
Kingston to provide network access on reasonable request to third parties and 
do so on fair and reasonable terms, conditions and charges by virtue of sec’s 
151(3) and 151(4) Communications Act 2003.[13] 

The most recent example whereby an NRA has been able to impose 
obligations on non-SMP operators under the corresponding national provision 
to Article 5(1) of Access and Interconnection Directive is the case UK/2003/19 
in which Ofcom had notified an obligation on Sky Subscriber Services Lim- 
ited, the only provider of access control services for digital TV, to provide ac- 
cess to these services on fair, reasonable and non-discriminatory terms. 

To summarise the European and UK section, the existing regulations 
under the Communication Act 2003 and the Access and Interconnection Di- 
rective means that that scenario of access tiering between network operators 
and application providers is remote. If access tiering were to occur, the NRAs 
have a responsibility to ensure end-to-end connectivity for non-SMP operators 
under Art. 5(1) of the Access and Interconnection Directive or in the case of 
(wholesale) SMP operators, adhere to the obligations as provided under this Di- 
rective. 


4. U.S. Network Neutrality 


The US debate hinges on the fear that broadband companies will support cer- 
tain content based websites and not others, thereby influencing consumer ac- 
tions. 

If Congress does not act accordingly and mandate network neutrality 
through national legislation, Internet integrity will be compromised as US 
states are likely to enact their own legislation, which may lead to a division on 
the network structure (due to interstate jurisdictional clashes). This is a realis- 
tic scenario given that in June 2007.Maine became the first state in the nation 
to pass laws requiring ISPs to ensure a non-discriminatory Internet [14]. Given 
the scope of this paper, the subject of Internet segregation will not be explored 
here. 


503 


Consequently, broadband providers that favour one service provider 
over another may violate State network neutrality legislation, privacy law (on 
the local, state, and national levels), [15] and specific statutes passed by States 
and the Federal government to provide citizens with information access. 

A counter-argument to the need for regulation is that consumers will 
transform their buying patterns such that the broadband providers will carry the 
content that the consumers desire. However, should economic welfare deter- 
mine whether one can call 911, read about governmental legislation, or watch 
political debates? 

Unlike the past, national cable providers now tend to offer a full range 
of communications products, often bundled together. The question then is: How 
can a consumer migrate to a cost-effective broadband provider if such choices 
are limited or unavailable? And certainly, broadband carriers should block com- 
petitors who seek to deliver phone or cable services using their bandwidth. The 
technology precepts to execute broadband content discrimination potentially 
infringe upon the constitutional and federally recognized right to privacy for 
oral communications in the home. 

Finally, the current network neutrality debate is not considering a very 
costly and real potential outcome. That is, if broadband discrimination is per- 
mitted and Congress does not ensure network neutrality, the mass exodus of 
website national cable providers from the US to more favourable (business- 
wise) countries is a possibility. 


4.1. Current US Framework on Network Neutrality” 


The Telecommunications Act of 1996 (the “1996 Act”) [16], is the first major 
legislation addressing telecommunications since the Communications Act of 
1934 (the “1934 Act”) and was intended to address a new era in communica- 
tions, and to serve as a framework for regulating emerging technologies and 
markets. 

Carriers selling broadband Internet access, pursuant to recent Supreme 
Court decisions, are considered information services carriers. It is here that the 
distinction between information services carriers and telecommunication se- 
rvices becomes significant, since the 1996 Act regulates telecommunications 
carriers while information service carriers do not fall under its purview. Tra- 
ditionally distinct service providers, such as cable television and telephone 
service providers, now find themselves in direct competition. Not surprisingly, 
the Courts have played a significant role in these new conflicts. 

The Supreme Court’s decision in National Cable & Telecommunica- 
tions Association et al v Brand X Internet Services et al[17] (hereinafter “Brand 
X”) in June 2005 held that content and applications providers could no longer 


504 








count on regulation to guarantee access to cable modem and DSL systems. 
[18]. 

The FCC’s ruling under the 1996 Act classified broadband cable 
modem service as an "information service" because Internet access was a ca- 
pability for manipulating and storing information, but not a "telecommunica- 
tions service," due to the integrated nature of such access and the high-speed 
wire used to provide it.[19] Thus, broadband cable modem service was not 
subject to mandatory Title II of the Communications Act of 1934, 48 Stat. 1064, 
as amended, 47 US.C.S. § 151 et seq., common-carrier regulation. Within 
weeks, the Commission then ruled that DSL was also an information se- 
rvice.[20] Thanks to this reclassification, DSL carriers are no longer subject to 
the requirement that they share DSL lines with broadband competitors; the 
FCC required that carriers honor existing agreements for one year, which expi- 
red in August, 2006.[21] Collectively, these decisions re-ignited the network 
neutrality debate. 


4.2. Network Neutrality and Oral communications 


The network neutrality debate focuses on whether last-mile providers are bloc- 
king access to content and applications. Network neutrality assures that tele- 
communication infrastructures remain “dumb,” delivering content and services 
equally in a “best-effort.” This best effort usually entails packets being deli- 
vered in a “first-in first-out” (FIFO) method at the maximum speed possible 
given network constraints. Under network neutrality, network operators do not 
decide what content users can access. Further, they cannot impede the flow or 
give preferential treatment to particular kinds of content. 

Leading broadband companies argue that they have not blocked ac- 
cess to content or applications and that market forces prevent them from doing 
so in the future.[22] This market argument is erroneous because broadband se- 
rvice providers (BSPs) are effectively preventing consumers from accessing 
an array of Internet applications and creating a tiered Internet by granting pre- 
ferential treatment to application and NCPs that compensate BSPs moneta- 
rily.[23] 

So far, the current debate has lacked a discussion of privacy. Within the 
U.S, oral communications receive protection from the legislative and judicial 
branches. Since Katz v. United States,[24] courts have routinely forbidden third 
parties from tapping or monitoring oral communications. However, they just 
as routinely permit business to track, store and sell data packets transmitted in 
the same way with the implied or explicit consent of either party engaged in the 
transmission. The digital age and VoIP[25]have muddled the jurisdictional di- 
stinction between voice and data information.[26] With the convergence of 


505 


oral and data into a single transmission medium, the Courts, like computers, are 
unable to distinguish between oral and data communications.[27] 

The use of the VoIP and analogous technologies has made this legal di- 
stinction impossible to uphold because oral and data communications now tra- 
vel over the same wires simultaneously in digital data packets.[28] 

The courts have found telephone communications protected from go- 
vernmental privacy invasions in two principal ways.[29] First, parties to a voice 
conversation are entitled to a "reasonable expectation of privacy" under the 
Supreme Court opinion of Katz v. United States.[30] Secondly, the Federal 
Wiretap Act of 1968 prevents unauthorized third-party interceptions of tele- 
phone communications, save for two scenarios: 1) the interceptor is in po- 
ssession of a court-mandated order or; 2) either of the involved parties in the 
communication have already provided consent.[31] The Katz opinion explains 
the rationale behind the Supreme Court's oft-quoted statement that the Fourth 
Amendment protects people, not places,"[32] and concludes that an entity’s 
reasonable expectation of privacy must be protected from government sear- 
ches. The Federal Wiretap Act was Congress’s response to the Katz opinion and 
was an attempt to prevent electronic surveillance of oral telephone communi- 
cations without a court order.[33] 

Title III of the 1968 Omnibus Crime Control and Safe Streets Act (the 
"Wiretap Act")[34] initially afforded extensive protection to wire communica- 
tions—oral communications were protected only when there were reasonable 
expectations of privacy.[35] Because the legislation covered both face-to-face 
oral communications and traditional point-to-point wired communications, co- 
urts were faced with myriad interpretive difficulties.[36] To correct the pro- 
blems with Title III, Congress amended the Wiretap Act by passing the 
Electronic Communications Privacy Act of 1986 (ECPA).[37] Congress desi- 
gned the ECPA to prohibit the intentional interception of oral, wire, and elec- 
tronic communications.[38] Because Congress was concerned with 
advancements in electronic technology that would be capable of defeating any 
privacy expectations, the ECPA enacted a strict set of standards for the inter- 
ception of oral, wire, and electronic communications.[39] Congress further 
expanded the protection of wireless communication by passing the Communi- 
cations Assistance for Law Enforcement Act of 1994 (CALEA), which exten- 
ded Title III to the radio portions of cellular and cordless phones. [[40] 

While the US courts forbid third parties to tap or monitor oral tele- 
phone communications,[41] they routinely permit data packets[42] to be trac- 
ked, stored, and sold by third parties with the implied[43] or explicit[44] 
consent of either party engaged in the transmission. In the digital age, howe- 
ver, the law-made distinction between voice and data has become unclear. With 


506 








the convergence of oral and data communications into a single transmission 
medium, the courts are unable to distinguish between oral telephone and elec- 
tronic communications.[45] The use of VoIP and other broadband communi- 
cation technologies has made this legal distinction impossible to uphold 
because oral telephone and electronic data communications now travel over 
the same wires simultaneously, encapsulated in digital data packets.[46] 

VoIP is a technology for transmitting ordinary telephone calls over the 
Internet. VoIP can send oral, fax and other information over the Internet, rather 
than through the Public Switched Telephone Network (PSTN) or regular tele- 
phone network. For example, if you are connected to the Internet, you can si- 
multaneously exchange data, audio or video with anyone while using VoIP.[47] 
The convergence of separate mediums shifts the legal landscape of digital com- 
munications and requires further examination. This examination must proceed 
in light of the disparity in judicial treatment between oral telephone and elec- 
tronic data communications, with oral telephone communications generally re- 
ceiving a higher level of privacy protection.[48] 

VoIP is no longer a fledgling technology; it is rapidly becoming a ma- 
instream communication product along with several other broadband commu- 
nication technologies. Both corporate and individual consumers are using VoIP 
to reduce communication costs by capitalizing on their existing connections 
to Internet broadband infrastructure.[49] 

VoIP cost savings arise[50] from the ability to transmit oral and data 
communications simultaneously over the same medium,[51] thereby elimina- 
ting the need for multiple phone and data lines in a home[52] or business. 

While the market’s invisible hand has already fostered technical inno- 
vations making some VoIP services superior to those offered by the traditional 
PSTN, [53] the legislature and the courts have yet to resolve two primary legal 
issues that are likely to hinder the United States’ adoption of VoIP as the new 
oral communication standard. First, VoIP will have to contend with the exten- 
sion of Congressional legislation from the PSTN to VoIP carriers to tax the 
transmission of data[54] and to regulate communication networks and line mo- 
nopolies.[55] Second, the degree of privacy, if any, the law can provide to VoIP 
oral communications must be defined.[56] The taxation issue lies entirely in the 
hands of a legislature that is actively attempting to extend PSTN taxation to IP 
communications networks. 

VoIP and other broadband communication technologies opens a para- 
digm of oral privacy, which will place a considerable strain on the existing ju- 
dicial canons protecting oral and data communications. This legal privacy 
dichotomy poses a substantial risk that parties legitimately monitoring Internet 
data streams will unlawfully monitor constitutionally protected private oral 
communications. 


507 


Under the current legal framework, unauthorized third-party access to 
oral telephone communications made from the privacy of one’s home consti- 
tutes an invasion of any non-consenting person’s privacy. Courts will probably 
extend these privacy rights to VoIP communications because the Supreme 
Court has recognized oral communication privacy rights within the context of 
the home.[57] Because it is physically transmitted in the form of digital data 
packets over the Internet, VoIP oral communications, though essentially indi- 
stinguishable from Internet data communications, are legally protected by a 
constitutional right of privacy preventing third parties from tracking, tapping, 
storing or selling said communications.[58] 

If broadband companies triumph and a tiered Internet arises, these te- 
lecommunication/broadband companies will in varying degrees monitor and in- 
tercept digital packets. This act provides the consumer with a right to bring 
suit against the US government, the telecommunication provider, and any other 
parties for violating the federal Wiretap Act and a range of State specific laws. 


4.3. Oral Communications Delivered Over Municipal Broadband & 
Broadband Power Line Companies 


Again, if the legal points above are resolved for entities that provide private 
broadband Internet services, the issue of State-funded municipal broadband 
ISPs (MISPs) remains unanswered. In this case, since the state is the broadband 
provider, there are greater duties lying upon the state to protect its citizens’ 
right to privacy and provide its citizens with unfettered access to information, 
as set-forth under the US constitution and in some instances at the state-level. 
Arguably, a MISP, which does not enforce the precepts of network neutrality, 
regardless of whether it violates Federal and States’ privacy rights, exposes it- 
self to legal suit. 

States that explicitly recognize a citizen’s right to privacy (e.g. Cali- 
fornia)[59] require any MISP within that State to enforce the precepts of ne- 
twork neutrality. The reason for this derives from the fact that such ISPs cannot 
monitor a citizen’s Internet usage without cause due to state laws. Since the 
broadband provider is incapable of monitoring a client’s access, they cannot 
charge website providers, such as Google, as they cannot prove that said user 
had accessed Google via their network infrastructure. As long as Google does 
not share this information with the MISP, the above scenario is preserved. Thus, 
MISPs rend the ability to tier access impossible, resulting in de facto network 
neutrality.[60] 

At this point, it is foreseeable that the electorate compels local muni- 
cipalities to offer broadband service with unfettered access to the Internet and 
privacy protection. An alternative solution is to pass national legislation that re- 


508 








quires broadband providers to implement the precepts of NN if they receive 
either (1) tax incentives for broadband infrastructure or (2) funds to create bro- 
adband infrastructure. This approach allows broadband companies to charge 
US citizens and service providers as long as their infrastructures do not rece- 
ive taxpayer income. This thereby alleviates the significant imbalance created 
by using state funds to create broadband networks, which then do not provide 
equitable access to application services over the broadband infrastructure. 


4.4. Oral Communications & Embassies within the United States 


The US Federal government’s failure to legislate the Internet to ensure that the 
Internet does not become a tiered solution and to follow the precepts of network 
neutrality may all have significant international repercussions.[61] This is be- 
cause embassies, consulates and other diplomatic missions operating in the US 
must purchase ISP services locally both for governmental purposes as well as 
personal use by those residing on the diplomatic premises. In order to imple- 
ment domestic regulations and achieve network preference, these ISP must 
monitor the information transmitted to and from these embassies and consula- 
tes. This monitoring of the content and applications by the ISPs providing bro- 
adband service to embassies in the US violates the legal rights of the embassies 
to maintain confidential potentially sensitive information, and consequently 
may compromise the national security of these countries of any and all deci- 
sions made within US borders. 

Generally, foreign embassies and consulates on US soil enjoy special 
status and are immune under US law from attachment or execution. Despite 
this qualified immunity, section 463 of the Restatement states that “The pre- 
mises...of a state’s accredited diplomatic mission or consular post in the terri- 
tory of another state are inviolable, and are immune from any exercise of 
jurisdiction by the receiving state that would interfere with their official use.” 

Inviolability imposes a distinct obligation on the receiving state to pro- 
tect diplomatic premises from private interference. In compliance with these re- 
quirements, the District of Columbia and the US federal government have 
enacted statutes curtailing permissible activity within 500 feet of diplomatic 
premises if the sign brings the embassy’s government into “public odium” or 
“public disrepute.” 

The concept of inviolability elucidated by the Vienna Conventions sho- 
uld also apply to the manner in which private information service providers 
can transact with these foreign governments, specifically with regards to their 
capability of monitoring the information transmitted to and from these diplo- 
matic missions.[62] This monitorization is a clear example of private interfe- 
rence with diplomatic property, as any and all communications between 


509 








diplomats and their own nation are private and confidential, and should be pro- 
tected by the inviolability concept espoused by the Vienna Conventions.[63] 

However, as discussed above with recent Supreme Court decisions, 
information service carriers providing broadband Internet services are not con- 
strained by the requirements imposed on telecommunications service provi- 
ders. As a consequence, the lack of a cognizable regulatory framework for 
these private companies can result in the infringement of the privacy rights of 
these foreign governments. In the absence of network neutrality, it is possible 
that these information service providers can monitor the content of the com- 
munications entering and exiting the walls of these diplomatic missions, the- 
reby violating the central precepts of the Vienna Conventions. 


5. Recommendations 


Even at a regulatory level (European and the US), we have seen a divergence 
of views on the need for network neutrality. Below are some preliminary rec- 
ommendations that deal with network neutrality at an industry level without 
going through the legislative route. 


5.1. Market Solutions for Cable Providers Compel Broadband Com- 
panies to implement Network Neutrality 


One solution is for application providers in the United States and abroad to co- 
alesce together and decide to restrict their content from broadband companies 
unless the companies follow a set of principles and contractually obligate them- 
selves to a technological solution driven by the precepts of network neutrality. 

Secondly, two US providers [64] are releasing “broadband over power 
line” services in Dallas, Texas. If more network providers follow suit, there 
would be less inclination by them to block services such as Web TV, YouTube 
and VoIP calls. 

Thirdly, another plausible solution which should be considered by the 
FCC in the US is the need to encourage more competition between network op- 
erators as in Europe so that consumers have a choice to switch from one net- 
work operator to another. This could be enhanced by a network competitor 
offering to ease the migration process for the consumer. Furthermore, there 
should be more than one network operator offering to provide broadband ac- 
cess. If a network operator refuses to allow customers to switch providers, then 
the FCC could investigate whether the network operator was abusing its mo- 
nopoly position (as in Europe). 


510 








6. Conclusion 


Currently, the European legal framework (in particular, the Access and Inter- 
connection Directive) provides a robust structure to deal with access tiering 
between network and application service providers. Whilst the possibility of ac- 
cess tiering may occur between network and application providers, the current 
EU framework is sufficient to deal with this without the need for further reg- 
ulations. 

The current state of the US law is in a state of flux and the broadband 
debate is certain to continue in the future. The US Congress will need to act to 
ensure network neutrality to address the main legal questions: US citizens’ con- 
stitutional right to privacy, a fragmented Internet due to state-based network 
neutrality legislation, US citizens’ right to access federal or state information, 
and regulatory issues specific to broadband power line technology. 


Two strong policy arguments further support the adoption of the ne- 
twork neutrality principles. The first policy argument draws from the 
following: 

If a device performs the same technical function as a telephone, then 
those analogous communications should receive the same regulatory 
and legal protections treatment as a telephone. 


While the technology medium to transport the communication is new, 
the communication itself is unchanged. Therefore, the laws and statutes go- 
verning the oral communication themselves, not the medium, must still apply. 

The second policy argument focuses on the fact that the US prohibits 
both the government and companies from monitoring communications in order 
to dictate how and who individuals can communicate. Specifically, failure by 
the government to ensure the neutrality of these networks will allow broad- 
band companies to act both as ISPs and as content creators. Furthermore, these 
companies will have a financial interest in prioritizing their own content and 
in threatening an individual’s right to privacy. Overall, the solution to the pro- 
blem in the US is likely to require legislation at the Federal level until there is 
foreseeable potential for a fractured Internet. 


Notes 


[1] Zeman, Eric M. “Paper sparks wireless net neutrality debate.” March 10, 2007 
<http://freepress.net/news/21377> 

[2] Reidenberg, Joel R. “Governing networks and rule-making in cyberspace.” Emory Law 
Journal, 1996: 45 p. 911. Johnson, David R and David G. Post. “Law and Borders — the rise 
of law in Cyberspace.” Stanford Law Review, 1996: 48 p. 1367. Froomkin, Michael A. 
“The Internet as a source of regulatory arbitrage.” March 2007. 








511 








[3] “The Buzz Report; Net Neutrality: Bring it On.” CNET. March 10, 2007 < 
http://www.cnet.com/4520-6033_1-6548559-1.html> 

[4] Framework Directive 2002/21/EC on a common regulatory framework for electronic 
communications networks and services, OJ L 108/33, 24 April 2002. Authorization Direc- 
tive 2002/20/EC on the authorization of electronic communications networks and services 
OJ L 108/21, 24 April 2002. Access and Interconnection Directive 2002/19/EC on access 
to, and interconnection of, electronic communications networks and associated facilities, 
OJ L108/7, 24 April 2002. Universal Service Directive 2002/22/EC on universal service and 
users’ rights relating to electronic communications networks and services, L 108/7, 24 
April 2002. The Directive on Privacy and Electronic Communications 2002/58/EC con- 
cerning the protection of personal data and the protection of privacy in the electronic com- 
munications sector, OJ L 201/37, 31 July 2002 

[5] The latter half of Article 2(c) of the Framework Directive specifically provides that 
electronic communications services does not include ‘services providing, or exercising ed- 
itorial control over, content transmitted using electronic communications networks and 
services.’ 

[6] At the retail level, Articles 17-19 of the Universal Services Directive apply. 

[7] “The Communications Market: Broadband: Digital Progress Report.” Ofcom. April 2, 
2007 <http://www.ofcom.org.uk/research/cm/broadband_rpt-/broadband_rpt.pdf> In the 
UK, it was identified in the report that over a quarter (27%) of residential Internet users had 
changed service providers in the last quarter of 2006 (Q3, 2006). 

[8] Jbid., at 38. 

[9] Ibid. 

[10] Art. 5(1)(1)(a) of the Access and Interconnection Directive, which enable NRAs to 
impose obligations on undertakings that control access to end users to ensure end-to-end 
connectivity. 

[11] Regulation No. 2887/2000 of December 18, 2000 on unbundled access to the local 
loop, O.J. 2000 L336/4. See also Ofcom. LLU factsheet (http://www.ofcom.org.uk/sta- 
tic/archive/oftel/publications/broadband/dsl_facts/LLUbackground.htm), Last accessed 7 
August 2007. 

[12] Shared access occurs when voice traffic and broadband access are managed by diffe- 
rent access providers. 

[13] Review of the fixed narrowband wholesale exchange line, call origination, conveyance 
and transit markets. November 28, 2003 <http://www.ofcom.org.uk/consult/condocs/nar- 
rowband_mkt_rvw/nwe/fixednarrowbandstatement.pdf> and Review of the wholesale bro- 
adband access markets. May 13, 2004 
<http://www.ofcom.org.uk/consult/condocs/wbamp/wholesalebroadbandreview/broadband 
accessreview.pdf> [14] Sec. 1. 35-A MRSA § 7109. Nondiscriminatory provision of Inter- 
net services 

[15] M.J. Culnan, Protecting privacy online: is self-regulation working? Journal of Public 
Policy and Marketing 19 (1), 2000, pp. 20-26. 

[16] 47 US.C.S. §§ 151 et seq. 

[17] 545 US 967 

[18] One indirect consequence of this was that companies such as Google, Microsoft, Earth- 
link and Intel began pouring money into wireless broadband and Broadband Over Power- 
line (BPL). 

[19] 540 US 398. 

[20] Ibid. 

[21] bid. 

[22] Amy Schatz & Anne Marie Squeo, As Web Providers’ Clout Grows, Fears Over Ac- 
cess Take Focus: FCC’s Ruling Fuels Debate Between Broadband Firms and Producers of 
Content, WALL ST. J., Aug. 8, 2005, at Al 


512 








[23] Tripp Blatz, Three Carriers Have Now Blocked Access to Ports for VoIP, Vonage Cha- 
irman Alleges, TELECOMM. MONITOR, Aug. 23, 2005. 

[24] 389 US 347 (1967) 

[25] Daniel B. Garrie, Matthew J. Armstrong, Donald P. Harris, Voice Over Internet Pro- 
tocol and the Wiretap Act: Is Your Conversation Protected?, 29 Seattle U. L. Rev. 97 (2005). 
[26] Ibid 

[27] Daniel B. Garrie, Matthew J. Armstrong, Donald P. Harris, Voice Over Internet Pro- 
tocol and the Wiretap Act: Is Your Conversation Protected?, 29 Seattle Univ. L. Rev. 97 
(2005). 

[28] Ibid. 

[29] Frierson v. Goetz, 227 F. Supp. 2d 889, 896-97 (M.D. Tenn. 2002) (describing a two- 
part test for determining qualified immunity). 

[30] 389. US 347, 350 (1967). 

[31] 18 US.C. §§ 2510-2521.(2004). 

[32] Katz, 389 US at 351. 

[33] United States v. Andonian, 735 F. Supp. 1469, 1471 (C.D. Cal. 1990); S. REP. NO. 90- 
1097, at 66-72 (1968); 1968 US Code & Admin. News 2110, 2153-2159. 

[34] Pub. L. No. 90-351, tit. III, § 802, 82 Stat. 212 (1968). 

[35] United States v. McKinnon, 985 F.2d 525, 527 (11th Cir. 1993) 

[36] Edwards v. Bardwell, 632 F. Supp. 584, 589 (M.D. La.), aff'd, 808 F.2d 54 (Sth Cir. 
1986) 

[37] Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified at 18 US.C. §§ 2510-2521, 2701- 
$2710, 3117, 3121-3126 (1986)). 

[38] S. REP. NO. 99-541 (1986), reprinted in 1986 US.C.C.A.N. 3555, 3555-3557. 

[39] 18 US.C. § 2518 (2004). 

[40] Pub. L. No. 103-414, 108 Stat. 4279 (1994) (amending 18 US.C. § 2510 (2004)). 
[41] Katz v. United States, 389 US 347, 353 (1967) 

[42] Vonage Holdings Corp. v. Minnesota Pub. Utils. Comm’n, 290 F. Supp. 2d 993, 994 
(D. Minn. 2003) 

[43] In re DoubleClick, Inc. Privacy Litig. 

[44] In re Pharmatrak, Inc., 329 F.3d 9, 19-22 (2003); Directv, Inc. v. Spokish, 2004 WL 
741369, at *3, 17 (M.D.Fla. Feb 19, 2004); Dyer v. Northwest Airlines Corporations, 334 
F. Supp. 2d 1196, 1198 (D.N.D. Sep 08, 2004); Freedman v. America Online, Inc., 325 F. 
Supp. 2d 638, 643 (E.D.Va. Jul 12, 2004). 

[45] Vonage, 290 F. Supp. 2d at 1000-03. 

[46] FROST & SULLIVAN, VOIP EQUIPMENT 2003 WORLD MARKET UPDATE (2003) 

[47] CARL SHAPIRO & HAL R. VARIAN, INFORMATION RULES: A STRATEGIC GUIDE TO THE 
NETWORK Economy (1999). 

[48] Compare Katz v. United States, 389 US 347, 353 (1967) 

[49] Stan Gibson, VoIP Passes Nissan Road Test, EWEEK, Jan. 24, 2005, at 33. 

[50] Paul Taylor & Peter Thal Larsen, Time Warner Cable Plans Big Push Into Internet- 
Based Phone Services, FIN. TIMES, Dec. 9, 2003, at A1. 

[51] Internet Engineering Steering Group, Internet Architecture Board, JETF Policy on Wi- 
retapping, RFC 2804, INTERNET ENG’G Task Force (May 2000) (discussing how VoIP uses 
the Internet’s open network architecture and stating that VoIP and Internet communications 
transmit on a single interconnected digital network). 

[52] By the end of 2006, more than half of all 110 million-odd households in the US will 
likely have the option of getting phone service from their cable companies. By 2008, cable 
companies will be selling phone service to 17.5 million subscribers, compared with 2.8 
million at the end of 2003, according to an estimate by research firm Yankee Group. Peter 
Grant, Here Comes Cable.., WALL St. J. Sept. 13, 2004 at R4. 





513 


[53] Sheff, David, Betting on Bandwidth, WIRED, Feb. 2001, at 144-56. 

[54] Congress’s decisions to tax and regulate VoIP technology are beyond the scope of this 
paper. 

[55] Declan McCullagh, Congress Proposes Tax on All Net, Data Connections, Jan. 28, 
2005, available at 
http://news.com.com/Congresst+proposes+tax+ontall+Net,+datat+connections/2100- 
1028_3-5555385.html (last visited July 20, 2005). 

[56] Katz v. United States, 389 US 347, 353 (1967) 

[57] United States v. Karo, 710 F.2d 1433, 1441 (10th Cir.1983) 

[58] Bartnicki v. Voppe, 532 US 514 (2001) 

[59] FTC Staff Report, at 29-31. 

[60] NEW MILLENNIUM RESEARCH COUNCIL, ‘NOT IN THE PUBLIC INTEREST 
- THE MYTH OF MUNICIPAL WI-FI NETWORKS’: WHY MUNICIPAL SCHEMES 
TO PROVIDE WI-FI BROADBAND SERVICE WITH PUBLIC FUNDS ARE ILL-AD- 
VISED (Feb. 2005), http://www.newmillenniumresearch.org/archive/wifireport2305.pdf 

[61] Contribution by Kaushik Rath. 

[62] Boos v. Barry, 485 US 312 (1988) 

[63] Id. 

[64] Richards, Jonathan. Web TV demands high-power broadband. August 15, 2007 
<http://technology.timesonline.co.uk/tol/news/tech_and_web/article2265400.ece>. 


514 








The Enhancement of Transparency in Internet 
Governance 


Prof. Dr. Rolf H. Weber 


Chair professor for international business law 
University of Zurich 


Abstract: In Internet governance, transparency issues merit 
more extensive consideration: the Internet offers valuable opportunities 
for transparent communication and for the achievement of open access 
to discussion topics, thereby enhancing information exchange and dia- 
logue between the governance-related institutions and the interested par- 
ties concerned. Transparency could also promote the mobilization of 
new actors and the participation of the civil society; such development 
would increase the level of democratic legitimization through active in- 
volvement. ICANN has recognized the need to improve the transparency 
framework within its structures; the ongoing attempts should be streng- 
thened by scholar research supporting the effort of the ICANN bodies in 
the present consultation phase. Since a transparent methodology for rule- 
making processes based on revisable procedures reduces mistrust, trans- 
parency should become a persistent objective of governance 
mechanisms. 


Biographical Notes: Rolf H. Weber is chair professor for international business law 
at the University of Zurich and attorney-at-law in Zurich. This paper has greatly ben- 
efited from very valuable support of lic.iur. Mirina Grosz, research assistant at the Uni- 
versity of Zurich. 


Key Words: Domain Name System, Internet Governance, Objectives of Transpa- 
rency, Participation of Civil Society, Structural Framework for Transparency 


Introduction 


Accompanying the changing institutionalization of Internet governance, a sa- 
tisfactory governance system for all of the different stakeholders involved sho- 
uld encompass a substantial enhancement of transparency. This objective is 
not new. Already one hundred years ago the Supreme Court Justice Louis Bran- 
deis said: “Sunlight is said to be the best of all disinfectants” (Brandeis, 92). 

Transparency is central, both as a goal of regulation and as an attribute 
of the regulatory system (Fawcett, 49). Moreover, the importance of transpa- 
rency stems from its relevance for the achievement of other important tenets 
of regulation, such as independence and accountability of regulators 
(Weber/Grosz, 131; Amtenbrink). 


515 





2. Guiding Principles of Transparency 


Transparency is often defined as “easily seen through or understood” (Oxford 
Dictionary). Characteristics which are allocated to transparency are clarity, ac- 
countability, accuracy, accessibility and truthfulness (Weber/Grosz, 131). 
Transparency is an important topic in many market segments, and has most 
notably been addressed in the discussions on governance, in particular, regar- 
ding financial markets (Lastra/Shams, 170; Mock, 1082). With the increasing 
importance of international players, governance has become more complex, 
encompassing local, regional and global zones, which, in fact, do not operate 
independently of one another. Under the term of global governance, processes 
of integration and harmonization can be detected within governance discus- 
sions (Brownsword/Lewis, vii). Thereby, transparency is seen as an important 
component of good governance. 


Transparency can be differentiated into three main aspects (SNF, part 
II): 


e Procedural transparency encompasses rules and procedures in the ope- 
ration of organizations; such rules must be clearly stated, have an 
unambiguous character and should be publicly disclosed. In addition, 
they should make processes of governance and lawmaking accessible 
and comprehensible for the public. An important aspect is the due pro- 
cess principle. 

e Decision-making transparency is based on the acknowledgement of 
access to political mechanisms; reasoned explanations for decisions, 
together with public scrutiny, strengthen the institutional credibility 
and legitimacy of governmental decisions. 

e Substantive transparency is directed at the establishment of rules con- 
taining the desired substance of revelations, standards and provisions 
which avoid arbitrary or discriminatory decisions; furthermore, sub- 
stantive rules can include requirements of rationality and fairness. 


Furthermore, various directions of transparency can be summarized as fol- 
lows (see Heald, 27-28): 


e ‘Transparency upwards means that the hierarchical superior/principal is 
in a position to observe the conduct, behavior, and/or “results” of the 
hierarchical subordinate/agent, usually in a principal-agent relation. 

e Transparency downwards means that the “ruled” are in a position to 


516 











observe the conduct, behavior, and/or “results” of their “rulers”; this re- 
lationship figures prominently in democratic theory and practice often 
under the umbrella of “accountability”. 

e Transparency outwards means that the hierarchical subordinate or 
agent is in a position to observe what is happening “outside” the orga- 
nization; this ability is important to monitor the behavior of an orga- 
nization’s peers and/or competitors. 

e Transparency inwards means that those outside are in a position to ob- 
serve what is going on inside the organization; the topic insofar is the 
freedom of information. 


To the extent that upward and downward transparency co-exist in pa- 
rallel, there is symmetrical vertical transparency. As far as outward and inward 
transparency exist in parallel, there is symmetrical horizontal transparency. 
Otherwise, vertical and horizontal transparency is either completely absent or 
asymmetrical (Heald, 27 and 29). 

“Transparency facilitates compliance, effectiveness and the ability to as- 
sess both” (Mitchell, 111). In the light of these findings, transparency has be- 
come a key issue within private enterprises and governmental organizations, 
both on national and international levels. Discussions under the notion of Cor- 
porate Governance have addressed transparency in particular and have carved 
out important aspects on the subject. Both theory and practice attempt to limit 
information asymmetries or to specify information flows between the central 
players of an entity. This facet of accounting and disclosure has been develo- 
ped substantially along with the corporate institutional developments in the 
19th century, when the obligation to post publicly accessible accounts became 
a condition of limited liability status and the stock market listing (Hood, 17 
and 20). 

In the 20th century, extensions of the corporations’ obligations to disc- 
lose and publish information about themselves emerged steadily, together with 
advanced regulations as well as audit and accounting reforms, and ostensibly 
intended to produce “reassurance” in the aftermath of financial “clashes” 
(Hood, 17). The extension of disclosure obligations is partly also a reflection 
of the development of ideas about “information asymmetry” by institutional 
economists working on transaction costs and principal-agent theories 
(Berle/Means). Furthermore, legal thinkers started to “look inside” institutions 
and devise doctrines and systems of regulation that focused on their informa- 
tion flows, examining for instance the kinds of information that had to be re- 
ported to the board of directors and the kind of expertise that had to be 
represented there (Hood, 18). 


517 





Linked to these developments is the emerging appreciation of the right 
to access information, which introduces a human right aspect under the term 
of freedom of information (Birkinshaw, 204, 216). Transparency has also been 
acknowledged to be a crucial issue when addressing the effectiveness of in- 
ternational regimes. The promotion of transparency is often enough one of their 
important functions, for instance when referring to the submission of reports 
to the Human Rights Committee according to article 40 ICCPR. However, the 
methods with which a regime can actually foster transparency have remained 
rather unexplored so far. Generally speaking, transparency enhancement de- 
pends on the purposes for which information is sought, the capacity and in- 
centives of actors to provide that information, and the strategies adopted to 
foster transparency (Mitchell, 109-110). 


Transparency Situation in the Present Domain Name System 
3.1 Domain Name System 


The Internet originally emanated from the ARPANET, a project established by 
the US Department of Defence’s Advanced Research Projects Agency 
(DARPA) in the 1960s. Every computer linked to the Internet needed a nume- 
ric address — an Internet Protocol (IP) address — in order to be identified and 
accessed by others. Jan Postel, one of the founders of the Internet, had the idea 
of translating these numbers into names, the so-called domain names, which 
identify every user of the Internet and guarantee that each web and email ad- 
dress is unique. As part of this project, Postel maintained a list of host names 
and addresses, and therewith commenced with the DNS. He defined seven “ge- 
neric top level domains” (gTLDs): “.com” for commercial activities, “org” 
for organizations and “net” for networks as three universal top level domains; 
“.gov” for governments, “.edu” for universities and “.mil” for the military as 
three gTLDS for use in the USA only, and “.int” for intergovernmental treaty 
organizations. Later on, the list of gTLDs was enlarged. In particular, each co- 
untry was given its own name according to the so-called “country code top 
level domain” (ccTLDs) such as “.ch” for Switzerland, “.uk” for the United 
Kingdom and.“.us” for the USA. 

Due to its special nature, there is no central governing core of the Inter- 
net. However, the functioning of the Internet is dependent on universal reso- 
Ivability, which permits netizens to find all valid addresses on the Net. The 
Internet’s system of unique identifiers for this purpose is classified into three 
sets of Domain, the Internet protocol (IP) addresses and autonomous system 
(AS) numbers, and the protocol port and parameter numbers. The Internet Cor- 
poration for Assigned Names and Numbers (ICANN) is responsible for the 


518 








management and oversight of these specific functions (Article I Section 1 
ICANN Bylaws). 


3.2 Internet Corporation for Assigned Names and Numbers 
(ICANN) and Transparency 


ICANN is a non-profit public benefit organization, which was created through 
a Memorandum of Understanding (MoU) between the US Department of Com- 
merce and ICANN in 1998. As the responsible organization for controlling the 
Internet’s naming and numbering, ICANN is in the position to decide which de- 
vices can connect to the Internet and with which names, thus being a prominent 
player in Internet governance (Mayer-Schonberger/Ziewitz, 193). 

The emerging discussions on Internet governance were endorsed by the 
World Summit on Information Society (WSIS). Thereby, ICANN emerged as 
a subject to harsh criticism, almost leading to the collapse of the first part of 
the WSIS under the weight of the conflict-laden issue. Generally, three sets of 
objections can be distinguished against the organization: 


e ICANN positions itself as a private, standard setting and technical co- 
ordination entity. However, this contradicts the making of public po- 
licy decisions by the organization, such as the adding of new TLD’s to 
the root — findings that do not only have technical implications but also 
require value choices. Since [CANN cannot be qualified as an inter- 
national organization with sovereign competencies nor as a national 
legislator, the organization lacks genuine authority to set legal norms 
legitimately (Froomkin, 94-105). 


e Although ICANN was framed as a global organization, it is materially 
influenced by and politically dependent on the US. It was established 
based on a Memorandum of Understanding with the US Department of 
Commerce, which expired on 30 September 2006, but was extended 
through the adoption of the three year Joint Project between the two 
parties. The influence that US domestic concerns could have on ICAN- 
N’s actions as well as debates on the organization’s dispute resolution 
process, the Uniform Domain Name Dispute Resolution Policy 
(UDRP) levied many objections that have culminated in a call for a 
more internationalized organization with procedures enabling “real” 
consensus and rule-making, giving bargaining power to all of the par- 
ticipants including those with politically less powerful interests 
(Mayer-Schonberger/Ziewitz, 194-197; Froomkin, 95; Weinberg, 216- 
217, 250, 256-257; Drissel 115). 


519 











e Particular objections have addressed the lack of an adequate democra- 
tic and legitimized background required for an entity such as ICANN, 
which plays the sort of role more commonly adopted by public entities 
(Weber/Grosz, 123; Mayer-Schiénberger/Ziewitz, 194; Kleinwachter, 4 
[2001]; Kleinwachter, 248-249 [2004]; Weinberg, 216, Weber, 74, 
105). Questions on ICANN’s democratic legitimacy arise in particular 
due to the fact that its techniques of representation are deemed to be 
unsatisfactory, since they do not actually reflect the heterogeneous In- 
ternet community within the organization’s structure. Initially, the in- 
dividual Internet user’s participation in ICANN’s activities and 
particularly his role selecting ICANN’s Board Members was endor- 
sed: Five members of ICANN’s Board (so-called “At-Large Direc- 
tors”) were to represent users in different geographic regions and to 
be selected through Internet-wide elections (Article II Section 1 & 2, 
Article V Section 6 ICANN Bylaws 2000). Two years later however, 
the At-Large Board Members were abolished. In exchange, ICANN 
provided for a selection process, which tries to enhance certain geo- 
graphic diversity merely within the Board Members. This was critici- 
zed and was not appeased by ICANN’s subsequent adoption of 
legitimizing techniques from US administrative agencies (Mayer- 
Schénberger/Ziewitz, 196; Weinberg, 235, 245, 249, 258; see Article 
VI-X ICANN Bylaws). In particular, the representation of the go- 
vernments through the Governmental Advisory Committee (GAC) is 
not deemed satisfactory since it is only based on ICANN’s bylaws and 
not on an intergovernmental treaty (Weinberg, 235, 249, 258). Fur- 
thermore, it doesn’t enable their actual representation since the Com- 
mittee merely possesses a consultative status. 


In order to address the controversies over ICANN, enhancing transpa- 
rency could be a viable approach. The disclosure of ICANN’s role in policy 
making and Internet governance could provide for a first step towards the ap- 
peasement of critics against the organization. Furthermore, the clear presenta- 
tion of the US government’s influence on the DNS, as well as the open 
communication of represented interests within the Board could strengthen pu- 
blic confidence. Together with more transparent election-processes and deci- 
sion-making procedures both within the organization as well as within its 
Uniform Domain Name Dispute Resolution Policy (UDRP), ICANN’: legiti- 
macy could also be improved. It merits mentioning that generally, a consensus- 
driven and bottom-up approach leads to broader transparency and additionally 
makes the private entity accountable to the public, giving also non-state agents 


520 








a voice in the rulemaking process. In fact, the notion exists that private orga- 
nizations implicate more efficient functioning than governmental bureaucracy 
(Harvard Law School, 1670; Weber, 106-108). 

ICANN has realized its potential and the possible capacities transpa- 
rency enhancement could promise. It presently acknowledges the following 
transparency provisions (see also ICANN, Accountability): 


e In Art. III Section 1 the bylaws of ICANN state that the corporation 
“shall operate to the maximum extent feasible in an open and transpa- 
rent manner and consistent with procedures designed to ensure fair- 
ness”. Furthermore, Art. I Section 2 includes several objectives such as 
“employing open and transparent policy development mechanisms that 
(i) promote well-informed decisions based on expert advise, and (ii) 
ensure that those entities most affected can assist in the policy deve- 
lopment process” (No. 7), “making decisions by applying documented 
policies neutrally and objectively with integrity and fairness” (No. 8), 
“acting with a speed that is responsive to the needs of the Internet 
while, as part of the decision-making process, obtaining informed input 
from those entities most affected” (No. 9) and “remaining accountable 
to the Internet community through mechanisms that enhance ICANN’s 
effectiveness” (No. 10). 


e No.7 of the so-called “Core Values” of ICANN reads as follows (cor- 
responding to Art. I Sect. 2 No. 7 of the bylaws): “Employing open 
and transparent policy development mechanisms that (i) promote well 
informed decisions based on expert advise and (ii) ensure that those en- 
tities most affected can assist in the policy development process” sho- 
uld guide each of the decisions and actions of ICANN, respectively 
(ICANN, Annual Report, 6). 


e The new agreement with the US Department of Commerce contains a 
specific provision on transparency (No. 2): “ICANN shall continue to 
develop, test and improve processes and procedures to encourage im- 
proved transparency, accessibility, efficiency and timeliness in the con- 
sideration and adoption of policies related to technical coordination of 
the Internet domain name system (DNS) and funding for ICANN ope- 
rations. ICANN will innovate and aspire to be a leader in the area of 
transparency for organizations involved in the private sector manage- 
ment” (ICANN, Annual Report, 10). 


521 














In the Annual Report of 2005-2006 ICANN describes the transparency 
and accountability principles as follows: “There have been changes to 
the website but it is clear that the site needs substantial rework, con- 
centrating on building a content management system and information 
architecture”. 


In the meantime, ICANN started a review process of its responsibilities 


with the support of an expert group. Thereby, transparency was addressed in 
connection with five major duties (ICANN, Annual Report, 33): 


Established consultation should be enhanced to develop Transparency 
and Accountability Management Operating Principles; 

Commenced work on the website should continue to improve accessi- 
bility and transparency; 

Established subscriber news alerts and newsletter services should be 
maintained; 

Project plans should be linked to Operating Plan and published so that 
work progress can be clearly monitored; 

Implementation of policy for considering new registry services sho- 
uld be fully implemented. 


The elements of transparency which are to be improved are the follo- 


wing according to the draft of ICANN’s transparency frameworks and princi- 
ples of 23rd June 2007 (ICANN Accountability & Transparency): 


Accountability at ICANN; 

Financial transparency at ICANN; 

Dispute resolution at ICANN; 

Documentary information disclosure policies; 
Consultation principles; 

Translation principles; 

Codes of conducts. 


In a nutshell, it can be said that ICANN has become aware of the im- 


portance of transparency issues and is working on their improvement; in this 
context it appears to be worthwile to have a look at the experiences made in 
other market segments. 


522 








4. Transparency — an Increasingly Important Issue also in 
Other Markets 


The issue of transparency is becoming an increasingly important issue in dif- 
ferent international markets. Enhancing transparency is deemed as a decision 
on management style and a stance of good governance. Standing out, due to 
their explicit referral to transparency issues, are the WTO, the EU, as well as 
the IMF/World Bank framework. The following outline sketches possible in- 
puts for the enhancement of transparency in Internet governance. 


4.1 Transparency in the WTO Framework 


In the WTO Framework, transparency is addressed in many provisions leading 
to the generally accepted acknowledgement that the principle of transparency 
is at the core of virtually all trade agreements. Article X of the GATS contains 
definitions of the general transparency obligations and addresses the issue of 
transparency in the context of publication and administration of trade regula- 
tions stating that laws, regulations, judicial decisions and administrative ru- 
lings of general applications shall be published promptly (van den Bossche, 
467-471). Similar obligations of transparency are contained in Articles III, VI 
and VII (indirectly) of the GATS. The purpose of the transparency provisions 
can be seen in the objective to achieve a greater degree of clarity, predictabi- 
lity and information about regulations. As far as services are concerned, trans- 
parency concerns categories such as the establishment of contact points, the 
development of domestic regulation, the application and enforcement of regu- 
latory measures as well as the procedures for licensing and qualification (van 
den Bossche, 496-497). 

The achieved transparency facilitates the member states of the WTO to 
enter into the cross border trade of goods and services due to the fact that the 
regulations of the trading partner countries are foreseeable. In other words, the 
predictability of international “relations” increases with the degree of transpa- 
rency. 

As a general observation from the experiences within the WTO, the 
conclusion can be drawn that the importance given to transparency issues by 
WTO law helps to overcome uncertainties in business processes and to im- 
prove the general basis for co-operation. This fact should also be thoroughly 
considered within the ICANN framework. 


4.2 Transparency in the EU Framework 


Transparency has always been an important aspect in the single European mar- 


523 


ket’s legal framework, particularly in the context of financial markets. The so- 
called “Transparency Directive” 2004/109/EC (OJ 2004 L 390/38 of 31st De- 
cember 2004) envisages introducing regulatory instruments for transparency in 
the EU. Its preamble states: “Efficient, transparent and integrated securities 
markets contribute to a genuine single market in the Community and foster 
growth and job creation by better allocation of capital and by reducing costs. 
The disclosure of accurate, comprehensive and timely information about se- 
curity issues builds sustained investor confidence and allows an informed as- 
sessment of their business performance assets. This enhances both investor 
protection and market efficiency”. 

Consequently, transparency as an objective to be achieved is intended to 
support an effective integration of national markets, thereby increasing eco- 
nomic growth and generating employment. Furthermore, accuracy, compre- 
hensiveness, and timing are perceived as a powerful tool for the improvement 
of the market conditions. In particular, the Transparency Directive builds a fra- 
mework which establishes minimum standards for data quality. Even if the fact 
that the EU constitutes an integrated European market cannot be overlooked, 
ICANN developments should also consider the key elements of the EU legal 
framework in transparency matters. 


4.3 Transparency in the IMF/World Bank Framework 


Elements of transparency have become a significant aspect of good regulatory 
governance and have gained increasing importance in many areas of public 
policy, in particular in the banking sector (see Goodhart, 159-162). An inter- 
national approach in this direction can be found in the “Code of Good Practi- 
ces on Transparency in Monetary and Financial Policies”, developed by the 
International Monetary Fund in co-operation with the Bank for International 
Settlements and in consultancy with several other actors in 1999. Assessments 
of the Code have highlighted the main benefits of transparency within the mo- 
netary and financial policies: (1) greater transparency enhances accountability 
of policymakers; (2) it fosters the effectiveness of monetary policy by making 
it more predictable; (3) it benefits the operation of financial markets, which 
are based on information, and it improves monetary and fiscal policy coordi- 
nation; (4) furthermore, the publication of analyses and forecasts by the cen- 
tral bank and financial agencies provides impetus for the staff to maintain a 
high quality of work (see IMF, Review of Experience; Weber/Grosz, 131). 
Additionally, the World Bank has sponsored the establishment of a worl- 
dwide database containing regulatory provisions and practices relevant for ban- 
king activities since the 1990s. The survey is very thorough and encompasses 
the banking regulations of more than 150 countries; relevant aspects are the ac- 


524 








counting practices, the external auditing, the financial statement transparency 
as well as the external ratings and the creditor monitoring. The details are 
expressed in form of variables that measure the extent of effectiveness or 
strength in the different practices, which should enable to establish compari- 
sons across countries. 

Lessons to be learned from the IMF/World Bank legal framework ma- 
inly concern the accounting practices (in a large sense); actions taken by 
ICANN representatives should always encompass the accountability princi- 
ples leading to the result that recipients of such actions are in a position to fol- 
low the line of thinking (Barth/Caprio/Levine, 145-146). 


5. Conclusions and Challenges for the Future of Internet Go- 
vernance 


Even though the harmonization of the global trade rules, the regional Euro- 
pean market, as well as the monetary and financial sector is not fully compa- 
rable to the various aspects of Internet governance at first view, valuable inputs 
can be deduced and merit further examination: 

The registration of domain names and Internet protocol addresses (IP 
addresses), the administration of the root server system, technical standards, in- 
frastructure issues etc. together form the market for Internet governance rela- 
ted commodities. Modern legal jurisprudence asserts that the validity of legal 
rules depends in part on whether those obliged by the rules can ascertain in 
advance what behavior or restraint is required. Therefore, the achievement of 
a greater degree of clarity and predictability also enhances the stability of the 
legal frameworks applicable to the Internet and consequently fosters e-trade. 
Furthermore the open communication of its governing bodies improves the 
stakeholders’ confidence in the cross-border nature of the Internet. Transpa- 
rent minimum quality standards also enhance the Internet’s conditions, as well 
as the assessment of performance and accountability. Moreover, it facilitates the 
coordination of Internet governance related regulations. 

Another important issue concerns the participation of the civil society. 
Transparent procedures allow for a certain level of democratic legitimization 
and credibility through active involvement of citizens as well as through cer- 
tain control over the decision-making processes. However, democratic parti- 
cipation in the Internet is dependent of Internet access, which from a global 
perspective, is still a very ambitious goal. Consequently, efforts are necessary 
to bridge the global divide. Altogether, a transparent methodology for rule-ma- 
king processes based on revisable procedures reduces mistrust and can have a 
legitimizing side effect, thus transparency should become a persistent objective 


525 








of governance mechanisms (Weber/Grosz, 131; Kleinsteuber, 73). 

With a glance towards the five broad themes that will be addressed in the 
Rio de Janeiro Internet Governance Forum (IGF) meeting in November 2007 
— Critical Internet Resources, Access, Diversity, Openness, Security — it beco- 
mes apparent that the governing of the Internet encompasses more aspects than 
are controlled by ICANN and involves further players. For example, several 
country code top-level domain (ccTLD) registries and regional Internet regi- 
stries (RIFs) have refused to relinquish their autonomy in favour of ICANN’s 
oversight (Drissel, 113). Various stakeholders engaged in the DNS, however, 
could imply a risk for the open governing of the Internet. 

The reflections on Internet transparency made by ICANN-related orga- 
nizations and working groups, for example the IETF Trust, realise that also 
new technical developments might jeopardize the transparency objective. On 
the one hand, while the Internet has greatly expanded both in size and in ap- 
plication diversity, its degree of transparency has diminished (Network Wor- 
king Group 2007, 2). On the other, recent inventions preserve the illusion of 
transparency while actually interfering with it; in particular the decline of trans- 
parency is having a severe effect on the deployment of end-to-end Internet pro- 
tocol security; furthermore, private addresses and Network Address Translators 
affect the degree of transparency (Network Working Group 2000, 10). Filtering, 
intended to block or restrict application usage, also has a negative impact. 

Another aspect concerns the problem that transparency, although it 
might provide great flexibility, also makes it easier to deliver unwanted as well 
as wanted traffic. Indeed, unwanted traffic (for example spam) is increasingly 
referred to as a specific justification for limiting transparency (Network Wor- 
king Group 2007, 2). Probably even more complex transparency barriers will 
have to be developed in order to counter increasingly sophisticated security 
threats. Transparency, once lost, is hard to regain, so that such an unsuccess- 
ful approach would lead to an Internet that is both more insecure and lacks 
transparency (Network Working Group 2007, 2). The elaboration of incre- 
asingly sophisticated host-based security mechanisms is less likely to sacrifice 
transparency in the process. 

The principle of transparency must be seen as an important aspect of 
good regulatory governance, since it allows the exercise of authority to be pu- 
blicly accessible and the public stakeholders to monitor the decision making 
processes. This development could be explained in view of the rise of an ega- 
litarian culture, which generally demands for transparency for everyone. Ho- 
wever, this perception contradicts the emergence of more individualist 
approaches in the new century, which the rise of privacy-protection policies 
and further security concerns suggest. A more functional strain of explanation 


526 








sees the increased transparency as a necessary kind of adaptation to prevailing 
technological and social changing conditions for governments and many other 
kinds of organizations (Hood, 216-217). In light of this perception, a certain li- 
mitation of the vast information flow could in fact promote transparency in the 
long-term, due to an enhanced overlook of the material available. 

The current concern for transparent political and economic structures 
suggests the need to reach a common understanding of transparency which can 
be achieved by observing the following five elements (Lastra/Shams, 171): 


e Availability of an organization or an institution with sufficient power 
to influence the management of resources in the society, i.e. with a role 
in governance; 

e Existence of publicly reliable information, i.e. substantive quality stan- 
dards related to information, supported by an adequate legal frame- 
work which influences the persons choices since a rational person 
would organize its conduct in accordance to the law; 

e Definition of the recipient as an essential component for the perception 
of both information and transparency; 

e Availability of information, for example by establishing disclosure pro- 
cedures, reporting requirements, granting the recipient investigative 
powers or a general right of access to information; 

e Observance of the time element, i.e. transparency implies constant vi- 
sibility of information. 


The medium of the Internet itself offers valuable opportunities for trans- 
parent communication. In fact, in order to achieve transparency in the regula- 
tion process, the Internet could be used to achieve open access to negotiations, 
collect proposals and statements from the various stakeholders concerned, pre- 
sent the decisions and results, and thereby enhance and facilitate communica- 
tion and dialogue between the different Internet governance-regulated 
institutions and the interested parties concerned. Open access to negotiations 
and information can also promote the mobilization of new actors and help them 
play their part in Internet governance. The IGF is a prominent and valuable 
example for such enhancement of dialogue. Indeed, transparency reflects the 
architectural and constitutional principles of the Internet, such as flexibility 
and openness (Weber/Grosz, 127-128). 


527 








Bibliography . 


1) 


2) 
3) 


4) 
5) 
6) 
7) 


A) 


8) 


9) 


10) 
11) 


12) 


13) 


14) 
15) 


16) 


17) 


18) 


19) 


F. Amtenbrink, The Three Pillars of Central Bank Governance — Towards a Model 
Central Bank Law or a Code of Good Governance, presentation during an IMF LEG 
Workshop on Central Banking, Washington DC, March 2004, available at 
http://www.imf.org/external/np/leg/sem/2004/cdmf!/eng/amtenb.pdf 

J. R. Barth/G. Caprio, Jr./R. Levine, Rethinking Bank Regulation, Cambridge 2006 
Berle/G. Means, The Modern Corporation and Private Property, Cambridge Mass. 
1932 

P. Birkinshaw, Freedom of Information and Openness: Fundamental Human Rights?, 
58 Administrative Law Review 2006, 177-218 

L. Brandeis, The Others Peoples Money and How the Bank Use It, New York 1914 
R. Brownsword/D. Lewis, Preface in Sorcha MacLeod (ed.), Global Governance and 
the Quest for Justice, Volume II: Corporate Governance, Oxford and Portland, Ore- 
gon 2006, vii-ix 

D. Drissel, Internet Governance in a Multipolar World: Challenging American He- 
gemony, 19 Cambridge Review of International Affairs 2006, 105-120 

C. Fawcett, Examining the Objectives of Financial Regulation — Will the New Regime 
Succeed? A Practitioner’s View in: E. Ferran/Ch. A. E. Goodhart (eds.), Regulating 
Financial Services and Markets in the 21th Century, Oxford 2001, 37-56 

M. Froomkin, Wrong Turn in Cyberspace: Using ICANN to route around the APA and 
the Constitution, 50 Duke Law Journal 2000, 17-184 

Ch. A. E. Goodhart, Regulating the Regulator — An Economist’s Perspective on Ac- 
countability and Control in: E. Ferran/Ch. A. E. Goodhart (eds.), Regulating Finan- 
cial Services and Markets in the 21th Century, Oxford 2001, 151-164 

Harvard Law School, Developments — The Law of Cyberspace, 112 Harvard Law 
Review 1999, 1574-1704 

D. Heald, Varieties of Transparency, in: Ch. Hood/D. Heald (eds.), Transparency. The 
Key to Better Governance?, Oxford 2006, 25-43 

Ch. Hood, Beyond Exchanging First Principles? Some Closing Comments, in: Ch. 
Hood/D. Heald (eds.), Transparency. The Key to Better Governance?, Oxford 2006, 
211-225 

Ch. Hood, Transparency in Historical Perspective, in: Ch. Hood/D. Heald (eds.), 
Transparency. The Key to Better Governance?, Oxford 2006, 3-23 

ICANN, Annual Report 2005-2006, available at http://www.icann.org/annualreport 
ICANN, Accountability & Transparency, Framework and Principles, June 2007, ava- 
ilable at http://www.icann.org/transparency 

ICANN, Bylaws, 28 February 2006, available at http://www.icann.org/general/by- 
laws.htm 

International Monetary Fund, Assessments of the IMF Code of Good Practices on 
Transparency in Monetary and Financial Policies — Review of Experience, Decem- 
ber 2003, available at http://www.imf.org/external/np/mae/mft/assess/122303.htm 
H. J. Kleinsteuber, The Internet between Regulation and Governance, in: Möl- 
ler/Amouroux (eds.), OSCE Representative on Freedom of the Media, The Media 
Freedom Internet Cookbook, Vienna 2005, 61-75 


W. Kleinwachter, Beyond ICANN vs ITU? How WSIS Tries to Enter the New Terri- 


528 








20) 


21) 


22) 
23) 


24) 


25) 
26) 
27) 


28) 
29) 


30) 
31) 


32) 


tory of Internet Governance, 66 Gazette: The International Journal for Communica- 
tion Studies 2004, 233-251 

W. Kleinwachter, Global Governance in the Information Age: GBDe and ICANN as 
“Pilot Projects” for co-regulation and a new trilateral policy?, Denmark 2001 


R. M. Lastra/H. Shams, Public Accountability in the Financial Sector, in: E. Fer- 
ran/Ch. A. E. Goodhart (eds.), Regulating Financial Services and Markets in the 21st 
Century, Oxford 2001, 165-188 


V. Mayer-Schonberger/M. Ziewitz, Jefferson Rebuffed: The United States and the 
Future of Internet Governance, 8 Science and Technology Law Review 2007, 188-228 


R. B. Mitchell, Sources of Transparency: Information Systems in International Regi- 
mes, 42 International Studies Quarterly 1998, 109-130 


W. Mock, The Centrality of Information Law: A Rational Choice Discussion of In- 
formation Law and Transparency, 17 Marshall J. Computer & Info. L. 1999, 1069- 
1100 


Network Working Group, Reflections on Internet Transparency, July 2007, RFC 4924 
available at http://www.rfc-editor.org 

Network Working Group, Internet Transparency, February 2000, RFC 2775 available 
at http://www.rfc-editor.org , 

SNF, Swiss National Fund, Project, conducted by Ch. Kaufimann/R. H. Weber/K. Ale- 
xander/L. Paez/X. Roduner, Trade and Finance (forthcoming) 

The New Short Oxford English Dictionary on Historical Principles, 1993 


P. van den Bossche, The Law and Policy of the World Trade Organization, Cambridge 
University Press 2005 


R. H. Weber, Regulatory Models for the Online World, 2002 


R. H. Weber/M. Grosz, Internet Governance - From Vague Ideas to Realistic Imple- 
mentation, Medialex 2007, 119-135 


J. Weinberg, ICANN and the Problem of Legitimacy, 50 Duke Law Journal 2000, 
187-260 


529 





























Principal Differences in Financial Reporting Bases in 
Czech: Comparison of IFRS and Czech Accounting 
Standards Requirements 


Jiri Strouhal 
University of Economics in Prague, 
Department of Financial Accounting and Auditing, 


email: strouhal@vse.cz 


Board of the Czech Chamber of Chartered Accountants 


email: strouhal@komora-ucetnich.cz 


Abstract. The globalization and the expansion of markets, as 
well as the general progress in the technologies available have brought 
new problems to the compilation of financial reports and to the ascer- 
tainment of trading income of supranational corporations and groups in 
accordance with statutory regulations of countries involved. From the 
year 2005 public listed companies in the Czech Republic should report 
under IFRS framework, while the non-listed companies will still report 
under the Czech accounting principles. This duality may lead to dis- 
crepancies with respect to the identification of free cash flow, which is 
considered the basic information required for the income-based busi- 
ness valuation. The subsequent text therefore deals with the basic dif- 
ference in the identification and valuation of assets and liabilities in 
listed companies (which report under IFRS) and non-listed companies 
(which report under Czech regulations). 


Introduction 


Without common accounting standards, there could be 27 different national 
methods of accounting, in addition to the use of International Financial Re- 
porting Standards (IFRS) and the Generally Accepted Accounting Principles in 
the US (GAAP) which is permitted by some EU countries (Whittington, 2005, 
p. 129). Brown and Tarca (2005, p. 201) warn that “the future of the [ASB is 
tied to the successful introduction of IFRS in Europe”. The EU motivates the 
regulation by referring to the enhanced international comparability and trans- 
parency of financial statements and improved access to the international cap- 
ital markets resulting from IFRS usage (Cuijpers and Buijink, 2005, p. 519). 
In the year 2002 the Council issued Regulation 1606/2002 whereby it 
stipulated certain duties on the part of companies listed on European stock ex- 
changes to compile their consolidated accounting statements in accordance 
with IFRS. Therefore beginning in 2005, a large number of listed enterprises, 
exhibiting significant heterogeneity in size, capital structure, ownership struc- 


531 


ture and accounting sophistication, started to apply international standards for 
the first time. The demand for detailed application guidance will increase sub- 
stantially, as will the demand for uniform financial reporting enforcement 
throughout the European Union. Schipper (2005, p. 122) states “if the IASB de- 
clines to provide detailed implementation guidance for IFRS, I predict that pre- 
parers and auditors will turn elsewhere, perhaps to US GAAP or perhaps to 
jurisdiction-specific European GAAP, for that guidance”. 

In addition to the use of IFRS by listed companies, many countries adopt 
international standards for unlisted companies or model their domestic stan- 
dards on international standards. The Australian government has decided to 
adopt international standards for the statutory accounts of all domestic com- 
panies from 2005, and New Zealand has indicated the year 2007. A recent sur- 
vey by Deloitte and Touche (2003) suggests that more than 90 countries will 
either require or permit IFRS for listed companies by 2005. This provides an 
interesting example for those who argue that accounting standards should be 
left to competition in the marketplace (e.g. Watts and Zimmerman, 1986). 

The requirements for group listed enterprises to prepare IFRS reports 
from 2005 is established in most transitional economies, but it is still unclear 
to what extent other enterprises will prepare IFRS financial statements. Con- 
cerns about the lack of suitably trained accountants and auditors and the lack 
of efficient markets to ensure reliable fair values for the IFRS financial state- 
ments, have already been expressed (Eccher and Healy, 2000; Sucher and 
Alexander, 2002). This may cast doubt on whether the financial statements is- 
sued under IFRS will be reliable. Indications are that in most of the transitional 
economies of Eastern and Central Europe, other non-listed enterprises will not 
have to prepare financial statements according to IFRS (Sucher et al., 2005, p. 
574). 

Although IFRS are not deemed an equal alternative to Czech laws reg- 
ulating the compilation of financial reports, Act 563/1991 on accounting, nev- 
ertheless stipulated that selected accounting entities are obliged to proceed in 
accordance with IFRS to compile their financial statement. This exception ap- 
plies to consolidated accounting entities which have issued securities listed on 
the official stock exchange market in EU member states. Other accounting en- 
tities may choose whether to compile their financial statement in accordance 
with Czech statutory regulations or in accordance with IFRS. Unlike interna- 
tional standards, Czech accounting regulations lack a glossary of definitions for 
basic elements of financial statements, which is why we shall use the defini- 
tions applied in IFRS standards, namely in the Framework. Reliable measure- 
ment is expected from all entries involved. Concerning the initial recognition 
under Czech laws, the Accounting Act (Section 24) identifies the following 
valuation alternatives: 


532 








e historical costs, i.e. the cost of acquisition of the assets concerned, in- 
cluding the costs related to the acquisition itself 

e replacement/reproduction cost, i.e. the cost for which the assets would 
be obtained at the time of the accounting statement, 

`e production costs, which include all direct costs expended on the man- 

ufacturing or other activity and that part of indirect costs, which is re- 
lated to the manufacturing or other activity involved 

e nominal value, i.e. the face value 


As of the date of balance, the accounting entities are obliged to record their 
assets and liabilities as follows: 


[Entry [Upon acquisition | As of the date of balance 


net book value or the lower of the fol- 
lowing (net book value vs. market 
price) 











historical costs/ 
replacement costs/ 
production costs 










Intangible fixed assets 


net book value or the lower of the fol- 
lowing (net book value vs. market 
price) 


historical costs / 
replacement costs/ 
production costs 

















Depreciated tangible fixed 
assets 














or the lower of the following (historical 
costs /replacement costs/ production 
costs vs. market price) 


historical costs / 
replacement costs/ 
production costs 










Non-depreciated tangible 
fixed assets 





Shares and ownership in- 
terests — controlling influ- 
ence 






historical costs equivalent valuation 









Shares and ownership in- 
terests — substantial influ- 
ence 


Realizable securities A : 7 
historical costs fair value 
long-term 


historical costs / or the lower of the following (historical 
replacement costs/ costs /replacement costs vs. market 
price) 






historical costs equivalent valuation 













Inventory purchased 


Own products in inven- 7 
tory production costs 


[a 
Short-term securities historical costs 














or the lower of the following (nominal 
value/ historical costs vs. market 
price), or fair value (derivative con- 
tracts or receivables hedged by deriva- 
tives) 













nominal value/ 
historical costs 


533 





International standards IFRS apply the following measurement bases for 
financial accounting: 


è historical cost. 

e common replacement/reproduction cost (current cost): 
è net realizable value: 

© present value: 

oè fair value. 


In the Czech Republic, values are usually measured through historical 
prices, while donated or gratuitously procured assets are measured by repro- 
duction acquisition price which is the approximate equivalent of the repro- 
duction cost as defined by IFRS. Under certain circumstances, also the 
realizable value and the fair value also may be used as the measurement bases 
for financial accounting. At the same time, Czech regulations virtually ignore 
measurement methods based on present value (Strouhal, Zidlicka, 2007, p. 46). 


Financial Statements 


Under Section 18 of the Accounting Act, the financial statements comprise: 

e balance sheet, 

eè profit and loss statement, and 

è notes 

At the same time, Section 18 also contains the following unfortunate 
sentence “the financial statements may also include a cash-flow statement and 
the statement of changes in equity.” This means that under Czech laws, the 
cash-flow statement is not an obligatory component of the financial statements, 
not even for the accounting entities which are liable to statutory audit. [1] 
(Strouhal, 2006, CD). On the other hand, international standards stipulate that 
the above statements be an integral part of the financial statements. The sub- 
sequent text deals mainly with the balance sheet and the profit and loss state- 
ment (income statement). 


Balance Sheet 

Unlike Czech regulations, international standards do not define accruals 
and deferrals as separate accounting entries, but rather integrate them among 
receivables (deferred revenues) and liabilities (accrued expenses). 

At the same time, the Czech regulations do not require the separate re- 
porting of discontinued operations (Dvořáková, 2006, p. 171 — 172), while 
IFRS stipulate that discontinued operations be disclosed and presented sepa- 
rately in accordance with IFRS 5. In particular, IFRS 5 stipulates that: 


534 








e the sum of the post-tax profit or loss of the discontinued operation and 
the post-tax gain or loss recognized on the measurement to fair value 
less cost to sell or fair value adjustments on the disposal of the assets 
(or disposal group) should be presented as a single amount on the face 
of the income statement 

e detailed disclosure of revenue, expenses, pre-tax profit or loss, and 
elated income taxes is required either in the notes or on the face of the 
income statement in a section distinct from continuing operations 


Profit and Loss Statement (Income Statement) 

Pursuant to the Fourth Directive of the E.U., accounting entities should 
compile the profit and loss statement vertically, allowing for the presentation 
of expenses either according to their nature or function. However, if the profit 
and loss statement is arranged with respect as to the function of entries in- 
volved, accounting entity must also include a schedule disclosing the operat- 
ing costs classified with respect to their nature. 

Under IAS 1 , accounting unit should also report EPS ratio. Unlike the 
US GAAP, international standards do not require that costs be classified as to 
their function in the profit and loss statement. Instead they only demand that 
accounting entities submit an analysis of costs classified as to their nature or 
function, whichever classification provide more reliable or more relevant in- 
formation. However, the function-base classification allows for a amount of 
certain discretion with respect to the assignment of costs to individual func- 
tions. 

There exist two basic differences between the profit and loss statement 
compiled in accordance with Czech rules and in compliance with IFRS 
(Dvořáková, 2006, p. 292): 

e IFRSs have revoked the obligation to report extraordinary expenses 
and extraordinary revenues — as of 1st January 2005, accounting enti- 
ties disclose extraordinary expenses and revenues under their other ex- 
penses and revenues; 

e Czech regulations have included the entries re-allocation of expenses 
to inventory and fixed assets and change in inventory of finished 
goods and work in progress among the revenue entries. However, since 
IFRS do not recognize the above entries as revenues, they have been 
included among adjustments to operating expenses. 


Disclosure 


Firms with international stock exchange listings face additional capital 
market pressures (Meek et al, 1995) and stock exchange requirements (Cooke, 


535 





1992) that may lead them to increase their level of disclosure. Investors de- 
mand information about the domestic operating environment and domestic ac- 
counting regulations of foreign listed firms (Nobes and Parker, 2002). Many 
stock exchanges around the world allow foreign registrants to prepare their fi- 
nancial statements according to IFRS or US GAAP. Prior studies show that the 
level of disclosure (Cooke, 1992; Meek et al., 1995) and the probability of 
using non-local GAAP (El-Gazzar et al., 1999; Murphy, 1999; Ashbaugh, 
2001; Dumontier and Raffournier, 1998; Leuz and Verrecchia, 2000; Leuz, 
2003) are positively associated with the number of foreign stock exchange list- 
ings of a firm. The impact on financial reporting of cultural differences has 
been well documented (Nobes and Parker, 2002, pp. 18-19; Radebaugh and 
Gray, 2002, pp. 42-48). There may be more disclosure by UK or US compa- 
nies that have a culture of disclosure of information than by companies that 
have not traditionally aimed to produce especially transparent financial state- 
ments (e.g. companies from transitional economies such as Czech Republic). 


Basic differences in financial statements (Czech standards 
vs IFRSs) 


Intangible fixed assets 


Intangible fixed assets are intangible assets which the accounting entity 
intends to keep for more than one accounting period (the Income Tax Act also 
specifies that the input price of intangible fixed assets must exceed the sum of 
CZK 60 000). 

The value of intangible fixed assets is measured by historical cost (ac- 
quisition price) for assets purchased, by production costs for internally gener- 
ated assets and by replacement price for assets obtained gratuitously. Intangible 
fixed assets are subject to amortization [2] and the amortization period is stip- 
ulated by the Income Tax Act. The intangible fixed assets must be accounted 
for in compliance with the prudence principle as of the balance day, meaning 
that the accounting entity should disclose either the net book value of the in- 
tangible fixed assets [3], or the lower present market price [4]. 


IFRS: IAS 38 — Intangible assets, IFRS 3 — Business Combinations 

Intangible assets may be measured by two basic models over the period 
of possession: historical costs model and the revaluation model. If the ac- 
counting entity applies the historical costs model, the assets shall be subject to 
continual amortization [5]and their value shall be decreased and disclosed in 
compliance with IAS 36. If the accounting entity uses the revaluation model, 


536 








the asset shall be regularly revaluated to its fair value and consequently de- 
preciated. If the asset value is impaired, the accounting entity must proceed in 
compliance with ISA 36. The revaluation to fair value which is higher than the 
original value shall be accounted for under the revaluation fund and recog- 
nized in equity, while the impairment loss should be recognized in profit or 
loss — see IAS 36. [6] 

Intangible fixed assets may be amortized only if it is possible to make a 
reliable estimate of its useful life. The applicable amortization methods are vir- 
tually the same as the methods applied for the depreciation of tangible assets. 

Unlike under the Czech regulations, the incorporate expenses as well as 
research and development should be accounted for under expenses. Under cer- 
tain circumstances, R&D may also be capitalized in the balance sheet. Good- 
will pursuant to IFRS 3 should be disclosed only in the event that the goodwill 
was generated by acquisition. Advance payments may be offset against debts 
from the same title. 


Tangible fixed assets 

Tangible fixed assets include tangible assets which the accounting entity 
intends to keep for more than one accounting period (the Income Tax Act also 
specifies that the input price of the tangible fixed assets must exceed CZK 
40 000). 

The value of the tangible fixed assets is measured by historical costs 
(acquisition price) for assets purchased, by production costs for processed pro- 
duction and by replacement price for assets obtained gratuitously. Tangible 
fixed assets are subject to depreciation [ 7], the accounting books should show 
the so-called book depreciation[ 8].The tangible fixed assets must be accounted 
for in compliance with the prudence principle as of the balance day, meaning 
that the accounting entity should disclose either the net book value or the lower 
present market price of the tangible fixed assets concerned. 


IFRS: IAS 16 — Property, plant and equipment, IAS 17 — Leases, IAS 40 
— Investment property, IAS 41 — Biological assets 

Tangible assets may be measured by two basic models in the course of 
possession: historical costs model and the revaluation model. If the accounting 
entity applies the historical costs model, the assets shall be subject to contin- 
ual amortization and their value shall be a be decreased and disclosed in com- 
pliance with IAS. If the accounting entity uses the revaluation model, the asset 
shall be regularly revaluated to its fair value [9]. If the asset value is impaired, 
the accounting entity must proceed in compliance with LAS 36.The revaluation 
to fair value which is higher than the original value shall be accounted for under 


537 


the revaluation fund and recognized in equity, while the impairment loss should 
be recognized in profit or loss [10]. 

Tangible fixed assets shall be depreciated in compliance with IAS 
16[11],while the accounting entity shall determine its useful life by itself. Un- 
like under Czech regulations, accounting entities are entitled to write off real 
property since the year 2004 provided that it would be possible to determine 
their useful life. It is also possible to write off a part of the property if the costs 
of property acquisition include also property development expenses — this part 
of property value may be allocated to costs at the moment when the costs ex- 
pended start yielding revenue. Advance payments may be offset against debts 
from the same title. 

In the event of property investments reported under LAS 40, the value is 
measured mainly by means of the revaluation model. At the same time, same 
as in IAS 16, the accounting entity is also entitled to use the alternative — his- 
torical costs model. Reporting procedures are the same as with other assets re- 
ported under IAS 16. 

The rules pertaining to finance leases under international standards are 
completely different from Czech regulations. While in the Czech Republic, the 
subject of finance lease is accounted for by the lessor in his balance sheet (usu- 
ally a leasing firm) and the lessor also writes it off, the lessee is only entitled 
to include lease installments among his expenses and must disclose the asset 
under off-balance sheet records. AS 17 applies the rule that substance takes 
precedence over form. 

Pursuant to the above standard, at the commencement of the lease term, 
the lessee should record the finance leases as an asset and a liability at the 
lower of the fair value of the asset and the present value of the minimum lease 
payments. The lessee’s depreciation policy should comply with LAS 16. It is the 
same in the Czech Republic as assets held for operating leases should be pre- 
sented in the lessor’s balance sheet. 

To conclude, unlisted enterprises should use the data recorded in the 
schedule to annual accounts, where the accounting entity provides informa- 
tion about its off-balance sheet assets and liabilities and then incorporate the 
data in its own financial analysis to avoid any distortions of the economic re- 
sults. 


Inventories 

Inventories count among current assets. Usually, we distinguish between 
inventory purchased and processed production. At the time of acquisition, the 
value of inventories is measured by the historical costs (acquisition price - for 
purchased inventories), replacement price (for inventories obtained gratu- 


538 











itously) and production costs (for processed production). 

For the measurement of the value of inventory decrement, the same cost 
formula should be used for all inventories with similar characteristics as to 
their nature and use to the enterprise. For groups of inventories that have dif- 
ferent characteristics, different cost formulas may be justified, including FIFO 
[12] weighted average cost formula, fixed inventory price with independent 
disclose of variations or the actual acquisition price. 

Accounting entities are entitled to choose from the continual inventory 
system (method A) and periodic inventory system (method B) for inventory 
records. In the continual inventory system, accounting entities record invento- 
ries via account groups Materials, Processed Production and Goods and allo- 
cate inventory decrement to costs (Raw Materials, Resale of raw materials, 
consumables and purchased finished goods) or to income adjustments (group 
Change in inventory (stocks)). In the periodic inventory system accounting, 
entities record the purchased inventories in the relevant costs accounts and dur- 
ing the accounting period do not even use balance-sheet entries such as In- 
ventory of Materials and Consumables or Inventory purchased for resale - In 
storage. Instead, as of the balance day, the accounting entity transfers the ini- 
tial status of the balance-sheet entries into costs and based on the stock-taking 
results transfers from the costs the final status of purchased inventories into 
the balance sheet. 

Inventories must be accounted for in compliance with the prudence prin- 
ciple as of the balance day, meaning that the accounting entity must record the 
inventories with their book value or with their lower present market value. 


IFRS: IAS 2 - Inventories, IAS 41 — Biological assets 

Inventories are reported in accordance with the same principles as fol- 
lowed by applicable Czech regulations, with the exception of Spare Parts In- 
ventory, which is not recorded among Inventories but under IAS 16 as Property, 
Plant and Equipment. 

It is also necessary to bear in mind that processed production in the ac- 
counts change in inventory (stocks) and re-allocation of expenses to inventory 
and fixed assets do not comply with the definition of revenues, which is why 
they are recorded as adjustments to operating expenses. The above accounts are 
not recorded under the function-based classification of operating expenses. 

At the same time, IAS 2 stipulates much stricter terms with respect to the 
measurement of processed production, particularly in the following areas: 

e separation of fixed production overhead and variable overhead; only 
that part of the fixed production overheads which is based on the nor- 
mal capacity of production facilities may be allocated to the costs of 
conversion, 


539 





e prohibition of re-allocation of expenses not expended productively 
(such as scrap and waste), 

e permission to allocate administration overheads only provided that the 
accounting entity demonstrates incontestable relation between the ex- 
pended administration overhead and inventory procurement. 

Same as under the Czech regulations, it is not possible to revaluate the 
inventories to higher value. 
Advance payments may be offset against debts from the same title. 


Receivables, payables and credits 

The short-term and long-term receivables constitute a part of current as- 
sets, while short-term and long-term are included among liabilities. 

Both receivables and payables should be measured by their nominal 
value, unless obtained in exchange for consideration, in which case they should 
be measured by their acquisition price. Accounting entities must convert re- 
ceivables and payables in foreign currencies as of the moment of their meas- 
urement in Czech crowns in accordance with the current exchange rate of the 
Czech National Bank or a fixed exchange rate. As of the balance date, the ac- 
counting entities must also convert the sum of pending receivables and 
payables to Czech crowns in accordance with the current exchange rate of the 
Czech National Bank. Foreign currency exchange losses and gains should be 
recognized in the income statement. 

The deferred tax assets and liabilities arise from the differences between 
the accounting and taxation concept of selected accounting entries. The ac- 
counting for the deferred taxes is based on the assumption that the accounting 
entity will apply the deferred tax in a later period than the due tax. The recog- 
nition and the accounting for the deferred tax is mandatory for entities which 
form the consolidation units (i.e. enterprises within a group) and the account- 
ing entities which are obliged to compile the final accounts in their full extent. 
Other accounting entities may account for the deferred tax at their own dis- 
cretion. The accounting for the deferred tax does not affect the tax liability. At 
the same time, it affects the sum of disposable profit, i.e. profit intended for al- 
location. The calculation of the deferred tax should be based on the balance- 
sheet approach. Deferred tax should be recognized for all temporary differences 
arising from the different accounting and tax view of entries included among 
assets and liabilities. It is also necessary to account for differences between 
the tax and tax residual price of the deductible tangible and intangible fixed as- 
sets as well as for another differences such as the reserves created beyond the 
scope of statutory duty, recognition of adjustments to inventories or receiv- 
ables etc. 


540 








Credits and financial assistance should be measured at their nominal 
value. 

IFRS: IAS 12 — Income Taxes, IAS 32 — Financial Instruments: Presen- 
tation, IAS 39 — Financial Instruments: Recognition and Measurement, IFRS 
7 — Financial Instruments: Disclosures 

Receivables and liabilities are generally perceived as financial assets or 
financial liabilities to be recognized in accordance with standards applicable to 
financial instruments. Long-term receivables and payables should be recog- 
nized in their present value; the settlement of the difference between the pres- 
ent and nominal value is performed by means of an effective interest rate. Due 
to their time character, short-time receivables and payables are normally rec- 
ognized at their nominal value and the discounting to their present value is not 
required. 

Receivables and payables from derivatives contracts should be recog- 
nized under IFRS in the FVPL/HFT portfolio. When used as a hedging instru- 
ment, it is necessary to proceed in accordance with IAS 39. For fair value 
hedges the change should be recognized in profit or loss, cash-flow hedges and 
hedge of foreign investments in foreign operation should be recognized in eq- 
uity. 

As in the Czech Republic, the measurement of deferred tax liabilities 
under IAS 12 is performed in accordance with the liability method. This means 
that deferred tax assets and liabilities should be measured at the tax rates that 
are expected to apply to the period when the asset is realized or the liability is 
settled (liability method), based on tax rates/laws that have been enacted or 
substantively enacted by the balance sheet date. Deferred tax assets and lia- 
bilities should not be discounted under JAS 12. 

Advance payments may be offset against debts from the same title. 
Cash 

Short-term financial assets included among the current assets of an en- 
terprise. We distinguish between cash in hand, cash at bank and short-term se- 
curities. Cash items are measured at their nominal value, while short-term 
securities are measured by the historical costs (acquisition price). 

IFRS: IAS 32 — Financial Instruments: Presentation, IAS 39 — Financial 
Instruments: Recognition and Measurement, IFRS 7 — Financial Instruments: 
Disclosures 

Cash items are included among financial assets and should be recog- 
nized in accordance with standards dealing with the reporting of financial in- 
struments. Short-term securities should be recognized in the portfolio of 
financial assets intended for trade under FVPL/HFT [13] revaluated to their 
fair value with impact on profit or loss. 


541 


Provisions 

The Accounting Act stipulates that the only genuine profits should be 
accounted for in the balance sheet and that the accounting entity should take 
into consideration all predictable risks and possible losses affecting its assets 
and liabilities and known to the accounting entity at the time of balance sheet 
compilation, as well as should include all devaluations regardless of the fact 
whether the accounting entity showed profit or loss in the accounting period. 
The accounting entity is entitled to use provisions, adjustment entries and 
write-offs for that purpose. Provisions are aimed to cover future expenses or li- 
abilities, whose purpose is known and which are expected to occur, but whose 
timing or amount is uncertain. However, provisions may not be used adjust the 
value of assets. 

Provisions may be used only for the purpose for which they have been 
originally recognized. Logically, provision may only be used to the maximum 
amount in which it was created; and provision may not have a credit balance. 
The balance of reserves at the end of the accounting period should be trans- 
ferred to the subsequent period. Accounting entities are obliged review provi- 
sions entered in the books at the end of the accounting period, and assess their 
tenability and amount. If it is discovered that the reason for which the provi- 
sion has been created has lapsed, the provision should be dissolved in its full 
extent. If it is discovered that the provision is for a different sum than it is due, 
it should be adjusted. In the balance sheet provisions should be accounted for 
under liabilities. 

The Accounting Act defines 5 types of reserves — provisions for risks 
and losses, provisions for income tax, provisions for pensions and similar ob- 
ligations, provision for restructuring, technical provisions or other provisions 
pursuant to special legal regulations (statutory provisions). 

The Provision Act stipulates three types of provisions for enterprises: 
provision for repairs of tangible assets, provision for cultivation of crops, other 
provisions (for the removal of mud from a pond, for the redevelopment of plots 
affected by mining, for the settlement of mine damage or provisions stipulated 
by special laws as costs required to achieve, ensure or maintain revenues). 


IFRS: IAS 12 — Income Taxes, IAS 37 — Provisions, Contingent Liabili- 
ties and Contingent Assets 

In accordance with IAS 37, an enterprise may recognize a provision if, 
and only if a present obligation (legal or constructive) has arisen as a result of 
a past event; it is more likely than not that to settle such an obligation, an ex- 
penditure of profitable income is required; and the amount can be estimated re- 
liably. 

The amount recognized as a provision should be the best estimate or the 


542 








most probable result. However, it may also be measured as the present value 
of future expenditures, in case the obligation is to be settled over the course of 
several future periods, or in a period which does not subsequently follow the 
accounting period in which the provision has been recognized; or if the amor- 
tized cash value is considered to have a major impact. 

IAS 37 does not allow provisions for future operating losses, since they 
do not meet the requirements which constitute an obligation or the general 
principles for the recognition of provisions. Instead, it is necessary to consider 
possible asset value impairment, and apply IAS 36 — Impairment of Assets. 

Furthermore, IAS 37 does not allow the recognition of a provision for 
the repair of tangible assets [14].Since in accordance with IAS 16, assets with 
different useful life are depreciated separately, and expenditures for asset main- 
tenance or replacement are activated subsequently. 

On the other hand, an enterprise may recognize a provision for an oner- 
ous (loss-making) contract. Provisions for restructuring may also be recog- 
nized, if all general criteria for the recognition of provisions have been met. 
Provision for income taxes is recognized as a tax liability, in accordance with 
IAS 12. 


Conclusion 


The most significant problem of financial statements and items shown is the 
complete inconsistency of measurement bases and the application of the his- 
toric (acquisition) cost, fair value and the present value (Buus, Strouhal, 
Brabenec, 2007, p. 36). At present, the principle of measurement based on the 
historical cost fades out as it is being gradually replaced by the IFRS trend of 
reporting fair values, which are, however, difficult to measure in less trans- 
parent markets. At the same time, the reporting based on fair value is includes 
a hidden danger of future volatility of such values and the consequent impact 
of the changes on financial statements. 

Jindřichovská & McLeay (2005) states that “the Czech market is simi- 
lar to more developed markets, at least in one respect: There is statistically sig- 
nificant evidence of different market effects of profits and losses, in that, profits 
are more persistent than losses. However, contrary to the findings in more de- 
veloped markets, there is no statistically significant evidence of earnings con- 
servatism in the Czech market” (p. 635). These results are most probably due 
to the continuing influence of restrictive tax regulations that mitigate any ten- 
dency towards conservatism, as well as the transitional nature of the economy. 
In conclusion, if changes in market prices signal good news and bad news about 
future risky outcomes, there is no evidence of asymmetry in the Czech market 
in accounting for such risks. 





The principal differences in reporting balance sheet entries can be sum- 
marized as follows: 


1. unlike Czech regulations, the Standards allow the revaluation of an (in)tan- 
gible asset even for a higher (fair) value based on the revaluation model, re- 
flected in the capital reserve; 

2. unlike in Czech practice, intangible fixed assets do not include organization 
costs and research, included directly in expenses in the IFRS; 

3. unlike in Czech practice, tangible fixed assets include items procured by fi- 
nancial leasing; 

4. unlike in Czech practice, it is possible, under certain circumstances, to de- 
preciate property; 

5. according to the IFRS, tangible fixed assets also include spare parts, which the 
Czech Accounting Standards (CAS) recognize as inventories; 

6. unlike in Czech practice, inventories do not include spare parts, which are re- 
ported as tangible fixed assets; 

7. unlike in Czech practice, IFRS require a strict distinction between fixed and 
variable overheads, and do not allow the activation of unproductively ex- 
pended costs; 

8. in accordance with IFRS, long-term receivables and long-term liabilities 
should be valued based on their present value, not their nominal value used 
in Czech regulations; 

9. under certain conditions, IFRS allow to report provisions at their present value 


Notes 


[1] The accounting entity must undergo a statutory audit of its financial statement, if it 
fulfils one or more of the following conditions over two successive accounting periods: 
the balance sum exceeds the amount of CZK 40 000 000, 

net sales (pursuant to Value Added Tax Act) exceeds CZK 80 000 000, and 

converted number of employees is higher than 50 persons. 

Joint-stock companies must comply with one of the above conditions, and limited liability 
companies and cooperatives with two of the above conditions to require statutory audit. 
Accounting entities which are obliged to undergo the statutory audit are also require to 
compile the annual report (which is also subject to statutory audit). Audited accounted en- 
tities are obliged to compile the annual statement in its full extent. If the accounting entity 
is not subject to statutory audit, but undergoes the audit voluntarily, it may compile its an- 
nual report in simplified form and extent. 

[2] The book depreciation for intangible fixed assets is equal to tax write-off. Tax write-offs 
are derived from linear distribution. 

[3] Residual cost = input price (i.e. acquisition price, replacement price, own costs) — ad- 
Justments (i.e. accumulated depreciation) 

[4] In this case the accounting entity enters only a temporary adjustment entry. After the 
lapse of the reasons for the revaluation, the accounting entity lapse deletes the entry. 

[5] In the area of intangible assets, IFRS does used the term depreciation but rather the 


544 








term amortization. 

[6] If the accounting entity creates an revaluation fund for the asset concerned, it shall ac- 
count for the asset under equity at first until the fund is completely withdrawn. After that, 
the accounting entity should account for the reduction of the fair value of the asset under 
expenses. 

[7] With the exception of land, works of art and art collection, which are not subject to 
depreciation. 

[8] The calculation of the tax base should incorporate deduction under the Income Tax Act 
— i.e. the so-called tax deductions. The Income Tax Act entitles the accounting entities to 
use linear or accelerated depreciation. Selected accounting entities use the differences be- 
tween the book net value and the tax residual value of the fixed assets to calculated defer- 
red tax liabilities. 

[9] If the market price is not known, the fair value shall be determined based on replace- 
ment costs reduced by an adequate depreciation of the asset concerned. 

[10] As was the case with intangible fixed assets, if the accounting entity creates an reva- 
luation fund for the asset concerned, it shall account for the asset under equity at first until 
the fund is completely withdrawn. After that, the accounting entity should account for the 
reduction of the fair value of the asset under expenses. 

[11] Possible depreciation methods permitted by the standard include straight-line depre- 
ciation, activity depreciation, declining-balance depreciation, DDB (Double-Declining- 
Balance Method) or SYD (Sum-of-the-Years-Digits) method. 

[12] First In First Out 

[13] At Fair Value through Profit and Loss / Held For Trading 

[14] IAS 37 does not allow other tax-effective provisions popular in the Czech Republic, 
such as the provision for the removal of mud from a pond, or the provision for reforesta- 
tion, since they do not meet the prerequisites for a provision pursuant to the standard. 


References 


1.  Ashbaugh, H. (2001). Non-U.S. Firms‘ Accounting Standards Choices. Journal of Ac- 
counting and Public Policy. Volume 20 (issue 2), pp. 129-153. 

2. Brown, P., & Tarca, A. (2005). A Commentary on Issues Relating to the Enforcement 
of International Financial Reporting Standards in the EU. European Accounting Re- 
view. Volume 14 (issue 1), pp. 181-212. 

3. Buus, T., & Strouhal, J., & Brabenec, T. (2007). How to Valuate Your Company — 
Comparison of the Approaches for Listed and Non-listed Companies. Prague, Czech 
Republic: Linde Gas. 

4. Cooke, T. E. (1992). The Impact of Size, Stock Market Listing and Industry Type on 
Disclosure in the Annual Reports of Japanese Listed Corporations. Accounting and 
Business Research. Volume 22 (issue 87), pp. 229-237. 

5.  Craner, J., & Krzywda, D., & Novotny, J., & Schroeder, M. (2000). The Determina- 
tion of a Group for Accounting Purposes in the UK, Poland and the Czech Republic 
in a Supranational Context. International Journal of Accounting. Volume 35 (issue 
3), pp. 355-397. 

6. Cuijpers, R., & Buijink, W. (2005). Voluntary Adoption of Non-local GAAP in the Eu- 
ropean Union: A Study of Determinants and Consequences. European Accounting 7. 
Review. Volume 14 (issue 3), pp. 487-524. 

7. Deloitte and Touche (2003). Use of IFRS for Reporting by Domestic Listed Compa- 
nies by Country. Available at: www.iasplus.com. 

8. . Dumontier, P., & Raffournier, B. (1998). Why Firms Comply Voluntary with IAS: 
An Empirical Analysis with Swiss Data. Journal of International Financial Manage- 


545 








10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 


25. 


26. 
27. 


. ment and Accounting. Volume 9 (issue 3), pp. 216-245. 


Dvořáková, D. (2006). Financial Accounting and Reporting under IFRSs. Brno, Czech 
Republic: Computer Press. 

Eccher, E., & Healy, P. (2000). The Role of International Accounting Standards in 
Transitional Economies: A Study of the People’s Republic of China. Available at: 
http://papers.ssrn.com/paper.taf?abstract_id=233598. 

El-Gazzar, S. M., & Finn, P. M., & Jacob, R. (1999). An Empirical Investigation of 
Multinational Firms‘ Compliance with International Accounting Standards. Interna- 
tional Journal of Accounting. Volume 34 (issue 2), pp. 239-248. 

Jindfichovska, I., & McLeay, S. (2005). Accounting for Good News and Accounting 
for Bad News: Some Empirical Evidence from the Czech Republic. European 
Accounting Review. Volume 14 (issue 3), 635-655. 

Leuz, C. (2003). IAS versus U.S. GAAP: Information Asymmetry-based Evidence 
from Germany’s New Market. Journal of Accounting Research. Volume 41 (issue 3), 
pp. 445-472. 

Leuz, C., & Verrecchia, R. E. (2000). The Economic Consequences of Increased Dis- 
closure. Journal of Accounting Research. Volume 38 (Suppl.), pp. 91-124. 

Meek, G. K., & Roberts, C. B., & Gray, S. J. (1995). Factors Influencing Voluntary 
Annual Report Disclosures by U.S., U.K. and Continental European Multinational 
Corporations. Journal of International Business Studies. Volume 26 (issue 3), pp. 555- 
572. 

Murphy, A. B. (1999). Firm Characteristics of Swiss Companies That Utilize Inter- 
national Accounting Standards. International Journal of Accounting. Volume 35 (issue 
1), pp. 121-131. 

Nobes, C., & Parker, R. (2002). Comparative International Accounting. London: Pren- 
tice-Hall Europe. 

Radebaugh, L., & Gray, S. (2002). International Accounting and Multinational En- 
terprises. New York: John Wiley. 

Schipper, K. (2005). The Introduction of International Accounting Standards in Eu- 
rope: Implications for International Convergence. European Accounting Review. Vol- 
ume 14 (issue 1), pp. 101-126. 

Strouhal, J. (2006). ACONTIS — Professional Information for Accounting Practices 
(CD). Prague, Czech Republic: ASPI Wolters Kluver. 

Strouhal, J., & Zidlicka, R. (2007). Financial Reporting 2007. Brno, Czech Republic: 
Computer Press. 

Sucher, P., &Alexander, D. (2002). IAS: Issues of Country, Sector and Audit Firm 
Compliance in Emerging Economies. London: Centre for Business Performance of 
the Institute of Chartered Accountants in England and Wales. 

Sucher, P., & Kosmala, K., & Bychkova, S. & Jindrichovska, I. (2005). Transitional 
Economies and Changing Notions of Accounting and Accountability. European Ac- 
counting Review. Volume 14 (issue 3), pp. 571-577. 

Watts, R., & Zimmerman, J. (1986). Positive Accounting Theory. Englewood Cliffs, 
NJ: Prentice-Hall. 

Whittington, G. (2005). The Adoption of International Accounting Standards in the 
European Union. European Accounting Review. Volume 14 (issue 1), pp. 127-153. 
www.iasb.org (International Accounting Standards Board) 

www.iasplus.com (International Accounting Standards online) 


546 








Cost, Defining, and Responsibility of Government 
Purchasing Open Source Software 


Ma Minhu, Feng Liyang & Dong Zhifang 
Law Department of Xi’an Jiaotong University, Xi’an, China 
Law Department of Anhui University of Technology, Anhui, China 


Abstract: Various countries now are paying close attention to 
open source software because of its “security cost” which is different 
from the commercial software. But how to make the “security cost” as 
one of government’s purchasing principles, define national open source 
software and respond to the technique and product flaw services of open 
source software are all new legal problems which needs to be analyzed. 


Key words: open source software (OSS), security cost, domestic products, legal me- 
asures 


Biographical Notes: Ma Minhu, Professor in the Law Department, Xi’an Jiaotong 
University. Research direction is intellectual property law and internet information se- 
curity law. His works include Internet Security Law and Information Security Law Re- 
search. Email: mhma@mail.xjtu.edu.cn 

Feng Liyang, Master Candidate of civil and commercial law in the Law Department 
of Xi’an Jiaotong University.Research direction is information security law. 

Dong Zhifang, Lecturer in the Law Department, Anhui University of Technology. Re- 
search direction is economic law, intellectual property law and internet information 
security law. 


|. Introduction 


Government purchasing software is the main market pattern of the establish- 
ment of E-administration. Every country has confirmed the security of the open 
source software (OSS), and supported it actively in both legislation and po- 
licy. US DoD (U.S. Department of Defense), NSA and NIST have arranged. 
the Linux service system and conducted research on OSS. Besides investiga- 
ting the security of Microsoft software, EU proposed specialized requirement 
for purchasing information technique and service, including OSS(120020. In 
2004, the Administrative department of France and a member of the EU, an- 
nounced that the reliability of OSS had been confirmed and that if govern- 
ment purchased OSS, acquisition budget could be reduced and the fiscal deficit 
could be cut down, thus, Microsoft might compromise. 

At the beginning of 2002, the British government’s Purchasing Office 
suggested that the use of Microsoft software should not be encouraged, and 




















547 











they believed that Britain could buy good quality software with a fair price. 
When extending the software permission with Microsoft in 2003, they nego- 
tiated with Microsoft by saying that Intel X86’s Linux system would be ap- 
plied in the service system. In addition, Japan and India have taken similar 
measures. 

In 2003,the Opinions of the State Council Information Office(SCITO) 
on Enhancing the Information Security by the General Office of the CPC Cen- 
tral Committee and the General Affairs Office of the State Council indicated 
that, with the basis of the combination of government directing and market 
mechanism, the development of the information security industry should be 
promoted, and the system of basic information network and important infor- 
mation network, with the predomination of autonomous controlling facilities, 
should be gradually established. As for the government fiscal investigating in- 
formation project, domestic software, facilities and service should be adopted 
under the Government Purchasing Law. The acquisition of Linux and other 
OSS in Beijing and Shanghai reflects the government’s positive attitude to- 
wards OSS acquisition, which guides the national-wide acquisition. 

However, the security cost of the OSS and the definition of domestic 
OSS are new legal topics in applying the Government Purchasing Law. At pre- 
sent, there’s no explicit definition in the laws of our country, and theoretical re- 
cognition should be further deepened. Because of the special characteristics of 
the OSS, the issue of how to respond to the legal responsibility of the flaw se- 
rvice, technique and product, has become an urgent legal problem in both the- 
oretical research and purchasing practice. This paper aims to analyse how to 
make the “security cost” as one of government’s purchasing principles, to de- 
fine the national open source software and to determine how to respond to the 
technique and product flaw services of open source software . 


2.0 Information “security cost” of the government purcha- 
sing OSS 


Information “security cost” is the expenditure on maintaining the stable and 
continuous working and regaining the data function of the information tech- 
nology, in the process of government purchasing. It’s the concretion of secu- 
rity factors in information expenditure. 


2.1 “Security cost” is an important constitute in the cost forecast 
of government purchasing. 


There are complex reasons behind government purchasing OSS. Cost factor is 
the most important part in Government Purchasing Law (Harhold E.Fearon 


548 








,1993). The government is the core part of a country’s infrastructure (2003) 
and every country pays great attention to their information security. Now glo- 
bally, with the background of government security service outsourcing, the go- 
vernment’s information security, rather than reducing the buying cost, is the 
preceding matter to be considered in every purchasing process. 

Security damage can be mainly attributed to sabotage and system de- 
fects. As for system defects, the most commonly used method is the use of va- 
rious testing tools. The code testing process against design flaws is not only an 
integral part of the life cycle of software development, but also an important 
component of assessing OSS. Compared to system defects, it’s more difficult 
to deal with sabotage. 

It is necessary to establish a set of source code assessment and detection 
strategy. From a legal perspective assessment strategies should first include 
the following steps: identify the origin of the source code; check the copyright 
information and software licenses; inspect software authorization from the au- 
thor; security risks. These should be included in the cost of purchasing and 
using OSS. 

Therefore, information security is essential in cost control. “Security 
cost”, the expenditure on maintaining information security, should be consi- 
dered in the cost budget of the government purchasing. An examination of the 
security factors in the process of government purchasing helps E-administra- 
tion work-properly. It also helps to maintain the security of government’s sen- 
sitive information, and ensure the completeness of open administrating 
information and the authorized access of government information. It’s the in- 
ternal requirement for realizing the overall goal of domestic economy and so- 
cial development. 


2.2 OSS has advantage in “security cost”. 


With the consideration of commercial interests, commercial software has ad- 
opted various technical measures to protect the sources, which hinders go- 
vernment acquisition. OSS can be controlled effectively in the working process 
and results. By examining the sources and consulting the customers, govern- 
ment, enterprises and individuals can control the software’s working process 
and results, revise some codes to meet the security requirements, or produce 
specialized safe hardware. It is not practical to expect the government , which 
is the ultimate user, to control the working process or revise the sources of the 
software, or benefit more from the openness of the source. Thus, it is neces- 
sary for the manufacturer, seller, or a specialized third party, to provide rela- 
ted services like consulting and source revising. 

Undeniably, the results of applying such software is unpredictable, for 


549 








it’s easy to revise the codes of the OSS, which may result in the insecurity of 
the information system. User’s information may be revealed, privacy offen- 
ded, and data destroyed. In the spreading of OSS, the different designer’ s de- 
signing plan, designing method, and designing attitude, will eventually affect 
the effectiveness and security of the software. For the government, this is unap- 
parent and unknowable. Ar present, the programmers of OSS like Linux, stric- 
tly apply the codes quality control system (Linus Torvalds is specialized in 
maintaining the quality control for Linux core. They also examine the certifi- 
cation of the core programmers). Certification examination and the core ma- 
intaining system have been put under the standardized project management. 

Spontaneous of OSS coordinates a loose developing team to work to- 
gether. Itis very necessary to control the source; otherwise, problems like re- 
petitive developing or incompatibility will occur, which may result in a 
break-up of the team. For example, there is a branch of Unix: Forking. The- 
refore, in order to control the whole version of the opened source tree, some 
functional software like CVS have been used in open source projects to manage 
the code and regulate the procedure. Software like ISV, a branch of Linux, is 
regulated, and the evaluation standard is clarified in law. As for the core source, 
it is necessary to strengthen the legal obligation of the programmers by va- 
rious methods, such as a contract, which has been responded actively by the 
OSS developing team. For instance, in May 2004, Linus Torvalds added an ar- 
ticle of “Developer’s Certificate of Origin” in the core revising process. De- 
veloper’s Certification of Origin requires the developer to submit their real 
name and email address in an email when they submit the extension code of 
Linux core, thus, the security of the OSS has been enhanced in law. 

Code check is a security controlling measure adopted by both OSS and 
commercial software: The difference between the two is that code-check is an 
essential procedure in the software project, while codes of OSS will not only 
be checked in the procedure of software project, but also be examined in every 
stage of the software’s existing period by other programmers. This provides 
the possibility of excluding system “backdoor” and discovering “flaw”. Com- 
pared with OSS, it’s more easily to put “backdoor” code in commercial so- 
ftware, the existence of NSA key in Windows operating system is an example 
of this kind. 


2.3 The components of the “security cost” in purchasing OSS 


Price (cost) is the prior element in government purchasing (Cao). The 17th ar- 
ticle of the Government Purchasing Law of China regulates that the evalu- 
ation of price should be reflected in software Purchasing, which includes not 
only the purchasing cost, but also the expense of preventing security problems, 


550 





the expense of maintaining and managing the software and the expense of re- 
sponding to and solving the security problems. It is more complex to detect se- 
curity holes in a program than to write a program on one’s own. Furthermore, 
we often have to face some open source code of large complex applications. 
Because it is almost impossible to detect the back door to the system kernel in 
source code, the assessment of the risks being attacked becomes difficult. In ad- 
dition, some people might maliciously add harmful code in open source code, 
and scattered, though the possibility of spreading the virus is not greater than 
non-open source program. Therefore, security training, safe running and ma- 
intenance, response to the security problems (security special equipment, data 
backup and recovering) constitute the main content of “security cost”. Com- 
pared with commercial software, OSS enjoys the advantage of “security cost” 
in its completeness of security enactment, its response to security problems 
and its continuous devotion. 

Besides, the cost of intellectual rights (IR) has to be considered as a part 
of “security cost” of government purchasing OSS. There are already cases of 
OSS influencing traditional IR and the software copyright nowadays, for in- 
stance, the DeCSS case. The US court judged that spreading the software which 
avoided technical measures was illegal according to DMCA. And the “Patent 
permission plan” initiated by Microsoft in May 2004 would sharpen the con- 
flicts between commercial software and OSS again after SCO sued IBM. The- 
refore, when purchasing OSS, government should distinguish between the 
criteria of “proper” use and the violation limit of avoiding technological pro- 
tective measures and consider the influence of OSS possible violation to the co- 
pyright and its cost. 

It should be pointed out that the competition and compromise between 
commercial software and the OSS is helpful to ensure the “adequate security” 
of government’s information. Meanwhile, government purchasing enlarges the 
market for OSS, which is of great competitive potential in software trade. The 
“open source” measure of commercial software producers (such as Microso- 
ft’s “government security plan”) helps improve the influence of OSS. 


3.0 The “domestic products” principle in government’s pur- 
chasing OSS and security control 


The priority of domestic products and service is the acquiescent rule of all co- 
untries. Though the EU opposes the implementation of internal favorable po- 
licies, it restricts the products from outside Common Market. Having joined 
the Government Purchasing Agreement, the US still requires purchasing of do- 
mestic products in projects which are lower than the open threshold (about 170 


551 


thousand USD). Besides, when joining the Government Purchasing Agreement 
of WTO, EU and US. exempted many projects of their public purchasing mar- 
kets. For instance, the US does not open its telecom market to the EU in the 
public affair purchasing. 


3.1 Defining domestic OSS 


According to article 10 of the Government Purchasing Law, “the priority of 
purchasing domestic products and service”, how to define “domestic products 
and service” is an issue urgently needed to be solved in legislation. 

The American Products Purchasing Law of 1933 clearly defined the 
American “domestic products” and set clear the purchasing criteria. In the law, 
“domestic products” is defined as: the products manufactured in US with an 
added value over 50%; the products assembled with imported parts are not in- 
cluded in domestic products; The multinational companies can not attend the 
bid for government purchasing unless they build factories and produce more 
than 50% of the parts in US; As to those products that aren’t produced in the 
US, the foreign products must contain a portion of domestic parts or the fore- 
ign products attending the bid offers some technology transfer. In the member 
nation of EU, France, Britain, Italy and some other countries also have their 
own criteria for defining “domestic products”. 

Referring to other countries’ criteria for defining “domestic products” 
and the characteristics of OSS, when setting up the criteria of defining dome- 
stic OSS, the following factors need to be considered: the software is mainly 
developed in China (50% of foreign process is allowed); the added value in 
China is over 50%; or the software is launched by Chinese companies (Ni, 
2003). In other words, defining criteria like “main criteria”, “behavior criteria” 
and “value criteria” should be set up. According to the rules of Government 
Purchasing Law, the Commerce Ministry can be the organization authorized in 
defining domestic OSS. 

The matter of defining “Domestic OSS” does not only include the pro- 
ducts or service of the domestic companies, but also includes the products or 
service of the multinational companies which set up software R&D organiza- 
tion and the joint ventures. Besides, not all the software sold by companies re- 
gistered in China is “domestic OSS”. If the main part of the company is abroad 
or there is only an empty company with a few employees in China, or only a 
sales department rather than a research and development department, the com- 
pany’s products surely can’t be treated as “domestic OSS”. 


552 


3.2 “Domestic products” principle and Government Purchasing Agre- 
ement 


Of course, the system obstacle existing in purchasing domestic OSS still needs 
further analysis. The Government Purchasing Agreement is strongly against 
the protective policies in purchasing market, in which “the priority of purcha- 
sing domestic products and service” principle is the most remarkable. The agre- 
ement basically denies the macro-control policy protecting the government 
purchasing market with the excuse of national public interest. And China has 
promised to fully open the government purchasing market no later than 2020 
(Sheng & Wu, 2002). By then, the purchasing of foreign software is inevita- 
ble. The principle of helping the small and medium-size enterprises, and prio- 
ritizing of purchasing domestic products and service in Government 
Purchasing Law is not perfectly consistent with the intention of national treat- 
ment and non-discriminative treatment in Government Purchasing Agreement. 

Therefore, when purchasing domestic OSS, security-control study of fo- 
reign OSS also needs to be enhanced in order to clarify the purchasing rules. 
The purchasing rules of foreign OSS should include the followings: 

1). Strict monitory system. The government purchasing of foreign OSS 
should be strictly monitored. The supervising and administrating department of 
government purchasing should be endowed with the right of examining and 
approving. The exception regulation of the tenth article in Government Pur- 
chasing Law should be adopted in purchasing foreign OSS. 

2). The purchased foreign OSS must pass the test of our country’s secu- 
rity product and the security evaluation of the information system. Those OSS 
that haven’t been examined don’t have the right to enter the government pur- 
chasing field. 

3). Purchasing security analysis should be implemented. Before pur- 
chasing, security analysis must be implemented to the foreign OSS by the pur- 
chasing organization. 

4). Clear requirements should be brought forward in the purchasing con- 
tract, which mainly include: (1) The foreign commercial software must open 
its source code and receive source code backup and monitoring rule. (2) The 
protocol and file format must be open, otherwise no purchasing will be done. 


4.0 The legal responsibility of information assurance in go- 
vernment’s purchasing OSS. 


Information assurance (IA) is the protection and defense of the whole infor- 
mation system and ensures the security of the system, including the protection, 
examination, response and recovery to the information. The IA of government 


553 














purchasing OSS should be carried out in the field of legal system. Due to the 
special characteristics of OSS, the regulation of relevant legal responsibility 
should be adaptable to the specific characteristics, especially in the analysis of 
government purchasing procedure. The clarified responsibility here includes: 

1). Clarify the legal responsibility of violating the rule of “the priority 
of purchasing domestic products”. According to Article 10 of Government Pur- 
chasing Law, if the purchaser or purchasing organization purchases foreign so- 
ftware without referring to the exception regulation for foreign software, and 
harmful results or insecure issues occurred in the process of government in- 
formation affairs, the supervising and administrative organization should order 
them to correct. If they refuse, they should be punished according to the law 
by the supervising organization. To those who break the criminal law, crimi- 
nal responsibility should be charged. 

If the purchasing cost analysis is not done and thus the 17th article of 
Government purchasing law is violated, the purchased software does not have 
“security cost” advantage, the relevant organization should require them to 
correct within certain time, and meanwhile warning and amercement can be 
implemented. To those who break the criminal law, criminal responsibility sho- 
uld be charged. 

2). Clarify the organizational form, internal administrative system and 
responsibility principle of the OSS producers. The internal administrative struc- 
ture of OSS producers must accord with the regulation of the Corporation Law; 
the legal responsibility of CTO, security committee, or other similar organiza- 
tions should be clarified. Besides, the security manager responsibility system 
should be set up to ensure the quality of OSS. From the perspective of infor- 
mation security, strengthening the organizational mode of OSS can effectively 
avoid the workshop-type software development, be helpful to realize the se- 
curity responsibility system, and decrease the risk of the producers going ban- 
krupted to the extreme. 

3). Explain the assurance item of OSS according to the non-fault re- 
sponsibility principle in Law on Product Quality, and decide on the security re- 
sponsibility of OSS. The quality flaw due to the OSS medium surely should 
shoulder the caused user-damage responsibility. If the OSS causes damage to 
human body or other assets besides the defected product itself, the producer 
should bear the compensation responsibility, which can include: damage com- 
pensation, information and system recovery and so on. If the OSS damages 
the public security or the national interest, administrative punishment should 
be implemented to restrict its production and management, and criminal re- 
sponsibility will fall on the producer. 

The spreading or producing malicious code like computer virus through 


554 


OSS, which causes damage to the information system and the Internet security, 
will be punished through administrative and criminal ways. 

3). Set up OSS cross-bencher organization for code examining and con- 
sulting, and entitle it with legal status. The software producer and the third 
party must be encouraged to build service organization and provide service to 
the end users including government, the enterprises and the individuals. The 
building criteria of the organization must be set-up according to the 19th, 20th 
and 21st particles in Law on Product Quality to ensure the separate execution 
of the organization. The organization and the system should serve the govern- 
ment purchaser and the end users. Meanwhile, the government should also 
refer to the regulations in Classification Principles for Specialized Products of 
Computer Information Security and Management Method of Examination and 
Sale’s Permissions for the Specialized Products of Computer Information Se- 
curity (Zhou). 


References 


1. EU, “on a common approach and specific actions in the area of network and infor- 
mation security”, (2002/C 43/02), available at http://europa.eu.int/index_en.htm 


2. Harhold E.Fearon. Purchasing Handbook,Sth ed., McGraw-Hill, Inc., New York 1993 


3. The national security strategy of the United States of America, 2003. from the URL: 
http://www. whitehouse. gov/nsc/nss.pdf 


4. Cao Fuguo. On government purchasing and its administrative characteristics-con- 
currently on the current situation of the government purchasing of our country. from 
the URL: 


5. _ http://www.jscj.com/jscj/caizhen/data/20001215061516.htm 
6. Ni Guangnan, Government purchasing law. Chinese E-Business, 2003, No.5 


7. Sheng Jieming, Wu Tao. WTO’s Government Purchase Agreement and the legislation 
of Government Purchase Law. Chinese Economic Law(2002). China Machine Press, 
2002, at p.236 

8. Zhou Chengyue. Information security authentication and government purchasing. 
China Information Security, Vol 24 


555 











Stones from Other Hills(\):Finality Rules within the Law 
of International Large Value Electronic Credit Transfers 
in China 


Wen Li 
PhD Candidate 
Centre for Commercial Law Studies 
Queen Mary University of London 
London, UK 
Liwen830409@hotmail.com 


Abstract: By studying the finality rules in English law and the 


UNCITRAL Model Law on International Credit Transfers, and by 
considering China’s banking practice, this paper distinguishes the fol- 
lowing four aspects of finality rules: time of completion of payment, 
discharge of underlying obligation owed by the originator to the 
beneficiary, access to funds, and revocation. To deal with these four 
aspects, private agreements, Model Law, civil law theory and electronic 
funds transfers (EFT) statutes should be applied flexibly and 
comprehensively. Successful banking law approaches from developed 
countries need to be borrowed by Chinese lawmakers with a broad heart. 


Keywords: Finality, Credit Transfer, International, Model Law, China. 


Part I. Introduction 


Basic Model of International Large Value Electronic Credit Transfers 


Originator’s Bank | __—» | Intermedi- 
ary Bank(s) Beneficiary’s Bank 


[originator] —————> [Beneficianys | 


It is acommon feature for most information technology law papers that before 
analyzing legal issues, the technological side pertaining to the legal issues sho- 
uld be clearly demonstrated. This chart above reflects the basic model of 
international large value electronic credit transfers (inter-banks). The 
communication of information flow and funds flow are like this: 


557 





1) The originator initiates a payment instruction [2] to the originator’s 
bank; 

2) The originator’s bank receives the payment instruction; 

3) The originator’s bank accepts the payment instruction; 

4) The originator’s bank debits the originator’s bank account in 
accordance with the payment instruction; 

5) The originator’s bank issues a payment instruction to the 
intermediary bank; (If the originator’s and the beneficiary’s bank 
have no direct links, namely, they have not maintained 
correspondents accounts with each other, one or more intermediary 
banks have to be used to establish the bridge between them) 

6) The intermediary bank receives the payment instruction; 

7) The intermediary bank accepts the payment instruction; (if there is 
more than one intermediary bank involved, then the process of 
issuing payment instructions, receiving and accepting the payment 
instructions will repeat again), 

8) The intermediary bank issues a payment instruction to the 
beneficiary’s bank, 

9) The beneficiary’s bank receives the payment instruction, 

10) The beneficiary’s bank accepts the payment instruction, 

11) The beneficiary’s bank credits the beneficiary’s account, 

12) The beneficiary’s bank makes the funds available to the benefi- 
ciary, 

13) The fund is accessible to the beneficiary. 


2. Important Contrastive Concepts 
(1) Credit Transfer and Debit Transfer 


In a debit transfer, the originator’s instructions are communicated to the 
originator’s bank by the beneficiary through the beneficiary’s bank; and the 
originator’s bank account is debited after the beneficiary’s bank account being 
credited. The funds are in effect “pulled” from the originator’s account by the 
beneficiary’s bank. In contrast, in a credit transfer, the originator’s instructions 
are communicated to the originator’s bank directly by him; and the originato- 
r’s bank account is debited before the beneficiary’s bank account being 
credited. In this case, the funds are “pushed” from the originator’s bank to the 
beneficiary’s bank. As a rule, the communication flow and the movement of 
funds are in opposite directions in a debit transfer but in the same direction in 
a credit transfer [3]. Due to the different characteristics between credit transfer 
and debit transfer, the legal issues pertaining to them should be discussed 
separately. 

(2) Large Value and Small Value 


The reason why large value and small value require different examination are: 


558 


a. both debit and credit transfers are needed to make a small value 
system fully effective; 

b. that small value transfer systems need to be far less costly per trans- 
fer; 

c. because small value transfers do not necessarily need to provide 
immediate value (real-time) payment, there may be commercial 
justifications for building in some delay (this gives the banks use 
of the float, and profits from that use can in part fund the system) 
[4]; and additionally, in principle, large value credit transfers are 
communicated and processed individually, their settlement 
mechanism is quite responsive to credit risks associated with the 
large values involved [5]. Therefore, for those reasons, rules 
applied to large value transfer should be different from small value 
transfer. 


(3) Domestic and International 


Broadly speaking, a Chinese domestic credit transfer is from an originator’s, 
to an intermediary bank (if any), and to a beneficiary’s bank where none of 
these banks is located in a country (or region, such as Hong Kong or Macao) 
with a currency other than Renminbi [6]. However, when it comes to the 
international level, the situation is by far more complicated. 

An international credit transfer is from an originator’s to a beneficiary’s 
bank where at least one of these banks is located in a country with a currency 
other than Renminbi, such as Hong Kong Dollar or Great Britain Pounds. 
Depending on the location of the originator’s and beneficiary’s banks in 
relation to the country of the currency, an international transfer is either onshore 
or offshore [7]. Whenever one of these two banks is located in the country of 
the currency, the transfer is onshore; it could be either incoming or outgoing. 
While an incoming onshore transfer is originated at an overseas/ Cross-border 
originator’s bank and its destination is a Chinese beneficiary’s bank, an 
outgoing onshore transfer is originated at a Chinese originator’s, and its 
destination is an overseas/cross-border beneficiary’s bank [8]. 

Conversely, whenever both the originator’s and the beneficiary’s banks 
are located outside the country of the currency, the transfer is offshore. It does 
not matter whether the two banks are situated in one or two countries (regions), 
as long as neither of them is located in the country of the currency. In any event, 
it is quite common for an offshore transfer to “pass through” one or more 
intermediary banks in the country of the currency, so as to become an offshore 
“passing through” transfer [9]. 

The necessities of distinguishing large value credit transfers in domestic 
dimension from international dimension are: 


559 


a) China’s domestic payment system, which is like pretty much all 
domestic payment systems everywhere, can only settle Renminbi 
business and not any other foreign currencies at present; in the case 
of international transfers, a foreign exchange transaction, which 
involves concurrent deliveries of two currencies between two 
counterparties, imposes lawmaker and participants parties to 
consider Herstatt risk [10], which does not exist in domestic 
transfers; 

b) legal issues arising from China’s domestic electronic funds 
transfers (including credit transfer and debit transfer) can be 
resolved by China’s domestic EFT law and the central bank 
(People’s Bank of China)’s regulations. 


However, in the context of international transfers, both in onshore and 
offshore transfers, an international electronic funds transfer may be subject to 
more than one law. Each account relationship in the transfer—for example, as 
between the originator and his bank, the originator’s bank and a correspondent 
bank, the correspondent bank and the beneficiary’s bank and the beneficiary’ 
bank and the beneficiary—may be subject to its own applicable law [11]. 


Part 2: Legal Analysis of Finality Rules in International 
Electronic Credit Transfers in China 


1. Does the currency being transferred influence the legal analysis 
of finality rules in context? 


It seems that the currency being transferred, like Renminbi or US dollars or 
Great Britain Pounds, has no influence on the legal analysis of finality rules, 
and broadly speaking, has no influence on the legal issues involved in the EFT. 
In the analysis, we try to abstract the legal issues out, and generally refer to 
what is transferred as “funds”. In other words, it is not the currency that is 
important, it is the process of the currency being transferred that is important. 


2. Deciphering the term “finality” 


The approaches to deciphering the term “finality” are argued differently by 
leading EFT law scholars in the English world. Prof. Jack (1989) distinguished 
four related concepts: discharge of the obligation paid by credit transfer, 
completion of payment, the countermand or revocability of the credit transfer, 
and the availability of funds [12]. Prof. Ross Cranston agreed upon most of 


560 


the classification, but split the “countermand or revocability of the credit 
transfer” into two separate concepts, “bank reversal” and “countermand by the 
originator” [13]. 

Prof. Benjamin Geva, however, suggested that he found this proliferation 
of concepts and terms to be unhelpful. “Bank reversal” seems to be covered by 
“completion”. Insofar as it coincides with the accrual of rights to the 
beneficiary, “completion” coincides with “discharge” [14]. He concluded that 
“completion” pertains to the payment of each individual payment order. As 
such, it is a distinct concept. However, for the completion/finality of the credit 
transfer as a whole, the two central concepts are “discharge” and “revocation” 
[15]. 

However, the author suggests that, in the context of the Chinese law of 
international electronic credit transfer, it is worthwhile to distinguish the 
finality into four aspects, and discuss them respectively. Although some aspects 
might be covered by others (as correctly suggested by Prof. Benjamin Geva), 
the four aspects, which are: time of completion of payment, discharge of 
underlying obligation owed by the originator to the beneficiary, access to funds, 
and revocation, are examined from different angles. Let us examine each in 
turn. 


(1) Time of completion of payment 


The time of completion of payment is, somewhat, an ambiguous phrase. It 
relates to each individual payment order and also relates to the credit transfer 
as a whole [16]. In the case of each individual payment order, the time of 
completion of such payment order is either related to the countermand issue or 
bank reversal issues, which are discussed immediately below. Here, the time 
of payment specifically means the time of payment as a whole process. 


The time of payment as a whole process affects the following questions, 
which make it so crucial: 


e whether the debtor has paid his creditor on time where the contract 
between the originator and beneficiary requires payment to be 
made strictly on due date; 

e the time from which interest ceases or starts to run on credit 
balances 

e the ability of the originator to revoke a payment order 

e insolvency of the originator or beneficiary or a bank in the chain 
attachments of bank accounts by creditors 


561 


e freezing orders or embargoes on making payments 
e expropriation orders seizing bank accounts 
e set-off against bank deposits [17] 


Hence, what is the point in time that a whole payment process is 
completed? It is the moment that the payment obligation owed by the originator 
to the beneficiary has been fulfilled. 

The UNCITRAL Model Law on International Credit Transfers sugge- 
sted, “a credit transfer is completed when the beneficiary’s bank accepts a 
payment order for the benefit of the beneficiary[18].” Some countries 
stipulated, “a credit transfer is completed when the beneficiary’s bank credits 
the beneficiary’s account or when the beneficiary’s bank notifies the 
beneficiary of such a credit” [19]. Although the Model Law applies different 
rules from those countries, the author would suggest that Chinese lawmakers 
should adopt the Model Law for the reason suggested below: 

In most cases of international large value electronic credit transfer, the 
beneficiary’s bank is chosen and appointed by the beneficiary itself. Therefore, 
it is reasonable for the law to allocate relevant risk to the beneficiary. Those 
risks encompass the risk that the beneficiary’s bank fails to fulfill its obligation 
to credit the fund to the beneficiary’s account, the risk that the beneficiary’s 
bank becomes insolvent, the risk that the beneficiary’s bank accepts the funds 
contrary to the originator’s instructions, and any other risk that could cause the 
result that the fund is unavailable to the beneficiary [20]. 

Some scholars tried to explain the reason why the time of completion of 
payment is chosen at the time that the beneficiary’s bank accepts the payment 
order for the benefit of the beneficiary, from the perspective of the law of 
agency. The beneficiary’s bank is considered as the agent of the beneficiary, 
who is the principal in EFT relationship. The principal has granted the 
authority/right to the agent to accept payment from the originator, once the 
beneficiary’s bank exercises the right within the scope of authority, and the 
legal consequence of such exercise is attributed to the beneficiary. However, 
the author suggests that due to the significance of EFT for the proper working 
of a modern economy, it is not necessary to mechanically apply the law of 
agent theory or any other existing rules. It should be worthwhile to create a 
brand new independent legal relationship, named “EFT relationship” [21], and 
the time of completion of payment should be considered under the framework 
of EFT, rather than law of agent. 

(2) Discharge of underlying obligation owed by the originator to the 
beneficiary 

Followed by the time of completion of payment, the question to be examined 
is the discharge issue, namely, whether the Chinese EFT law should be 


562 


stipulating a provision that “a completed/finalized payment would necessarily 
discharge the underlying obligation owed by the originator to the beneficiary”. 
If not, private agreement between the originator and beneficiary would do so. 

When we look at the drafting process of the UNCITRAL Model Law 
on International Credit Transfers, the UNCITRAL working group has also 
proposed a provision to discharge the underlying obligation of the originator 
owed to the beneficiary as a legal consequence of a finalized payment: 


Art. 11 (2) “The obligation of the debtor is discharged and 
the beneficiary’s bank is indebted to the beneficiary to the extent 
of the payment order received by the beneficiary’s bank when 
the payment order is accepted by the beneficiary’s bank” [22]. 


However, this provision has been strongly rejected by a considerable number 
of countries. 

Canada believed that “this provision is an error to purport to discharge 
the obligation as soon as the beneficiary’s bank accepts the payment order (this 
version of the draft of Model Law also proposed the payment becomes final for 
the beneficiary when the beneficiary’s bank accepts the payment instruction), 
because acceptance may occur at a time significantly before the time that the 
beneficiary actually receives payment from the beneficiary’s bank” [23]. 

Even more sharply, Switzerland argued, “the Model Law must not 
intervene in the basic relationship between the originator and the beneficiary. 
The transfer is independent of the relationship with the basic transaction and 
all provisions of the Model Law, which directly or indirectly refer to that 
transaction, should be eliminated. For the sake of clarity, it could even be stated 
in the Model Law that the transfer is abstract and independent of the legal 
relationship underlying it” [24]. 

However, it should be noted that the abstraction or independence here, 
is different from the abstraction in “juristic act of right in rem”, which is a 
highly conceptualized terminology created by the great German jurist, Savigny 
in 19" century. Savigny is the inventor of the theory of “legal transaction”, 
which distinguished act of disposition (Verfugungsgeschdaft, in Chi- 
nese) from act of obligation (Verpflichtungsgeschdft, O0 in Chinese) 
[25]0.A common example given by Savigny is in a scenario that A is buying a 
newspaper from B for the price of 10 Yuan [26]. There are three legal acts 
involved. The contract between A & B is a act of obligation, which creates 
rights of obligations between A and B; A paying 10 Yuan to B is a act of 
disposition (the objective of disposition is the 10 Yuan); and B handing over the 
newspaper is another act of disposition (the objective of disposition is the 
newspaper). The issue of abstraction arises from the point that, even if the 

































































563 


contract between A & B is/becomes invalid/nullified or is terminated, such 
invalidity/nullification or termination will not influence the effectiveness of 
the two acts of deposition. In other words, the two acts of deposition are 
abstract/independent from their reason (the “causa” in Roman law) [27]. 

Nevertheless, the abstraction/independence issue pertaining to finality 
rules in EFT law is different from its original meanings in Savigny’s theory. 
Savigny’s abstraction theory is a bottom-up direction; the act of obligation is 
at the bottom and the act of deposition is on the top, and thus the invalidity of 
the bottom will not influence the top. By contrast, the abstraction theory in 
EFT law is a top-down direction; the EFT payment relationship is at the top and 
the underlying obligation owed by the originator to the beneficiary is at the 
bottom, and therefore the EFT law should not stipulating that the finality of 
the top should discharge the bottom. 

The author suggests the Chinese EFT law should adopt such 
abstraction/independence in international credit transfers for three reasons: 

First, stipulating effects on the underlying relationship between the 
originator (debtor) and the beneficiary (creditor) has overstepped the scope of 
EFT law. EFT law should focus solely on adjusting relationships specifically 
arising from electronic funds transfers. Such underlying relationship is better 
resolved by the law of obligation, or the forthcoming Chinese Civil Code, or 
even criminal law if criminal issues are involved, such as money laundering. 

Second, if abstraction/independence does not exist in the EFT law, the 
consequence will be that the clearing systems, CNAPS [28] in China, and other 
clearing systems in relevant countries, will be requested to decide the dispute 
between the originator and the beneficiary which arises from the underlying 
transaction. This is obviously unfair and over burdensome for the clearing 
systems, since they do not have the information they would need, the necessary 
resources, and the authority, to be able to judge or justify the underlying 
relationships of each transaction that they undertake. Also, if the clearing 
systems were allocated the responsibility of dispute resolution, the clearing 
systems would become inefficient than they ought to be. 

Third, it is necessary to be consistent with UNCITRAL’s Model Law on 
International Credit Transfers, which, in its main text, omitted the proposed 
discharge provision of underlying obligation owed by the originator to the 
beneficiary [29]. If China’s rule on international credit electronic transfers is 
inconsistent with the international prevailing rule on this matter, potential 
conflicts may well occur. For instance, a finalized cross-border credit EFT 
might be argued by the originator to have discharged the underlying obligation 
between the originator and the beneficiary, and argued counterwise, by the 
beneficiary, that such transaction has not discharged the originator’s underlying 


564 


indebtedness. This is a further reason why the article of discharging underlying 
obligation between the originator and beneficiary should be omitted. 

Finally, although the author believes that a discharge provision should 
not appear in EFT law, private agreements between the originator and 
beneficiary could specify the discharge issue in the underlying obligation owed 
by the originator to the beneficiary. 


(3) Access to Funds 


A finalized payment means that the funds are available to the beneficiary. 
However, the availability of funds does not necessarily mean that the 
beneficiary has been granted a right to unrestricted and immediate to access the 
fund. There are at least two possible ways that availability does not constitute 
access: 

Firstly, the beneficiary may still be indebted to the bank (or “in the red”) 
after a fund transfer and have agreed with its bank not to draw on its account 
until its indebtedness is reduced still more or possibly eliminated altogether. 
The funds are available, but by agreement the beneficiary does not have the 
right to access to them. Secondly, by agreement between the beneficiary and 
his bank, a customer may be able to draw on its account prior to the funds 
being available. This is a well-known phenomenon in domestic banking, where 
payees of cheques are given credit before funds are cleared, and there is no 
reason in principle why it cannot apply to international funds transfers [30]. 
These two possibilities are suggested by Prof. Ross Cranston from the 
perspective of English banking practice, which also exists in Chinese banking 
practice. 

In sum, a finalized payment is equivalent to availability of funds, but 
not necessarily equivalent to the beneficiary’s access to funds, and it is 
reasonable to leave this issue to be regulated by private agreements between the 
beneficiary and his bank, rather than by EFT statutes or international 
conventions. 


(4) Revocation (including countermand by the originator and bank 
reversal) 


The question being examined under the subtitle of “revocation” encompasses 
countermand by the originator and bank reversal by each participating bank, 
namely at what stage the originator is entitle to countermand his payment 
instructions, and at what stage each participating bank is entitled to reverse the 
payment to its recipient bank. In other words, countermand is part of the ori- 


565 





ginator/originator’s bank relationship, whereas bank reversal is the participa- 
ting bank/recipient bank (i.e. bank/bank) relationship. 

In English law, summarized by Prof. Ross Cranston, in the absence of 
express contract, the English authorities seem to establish the following 
propositions relevant to the originator’s countermand in an international funds 
transfer. Firstly, an originator who instructs its bank to holds funds to the 
disposal of a third party can countermand at least until the time when the funds 
have been transferred or credit given to the beneficiary [31]. Secondly, an 
originator who instructs its bank to transfer funds to a third party cannot revoke 
from the moment the bank incurs a commitment to the third party [32]. 
Thirdly—and this is the typical case—a originator who instructs its bank to 
pay another bank to the order of a third party cannot revoke once the payee 
bank has acted on the instructions [33]. This may be a point prior to crediting 
of the payee’s account. In all these cases, it is irrelevant, from the point of view 
of revocation, whether the third party has been informed [34]. 

As we can observe that, under English law, those rules relating to 
countermand were established hundreds of years, or at least several decades 
ago, when a countermand instruction by the originator was possible due to the 
relatively low speed of clearing and settling the funds. However, in modern 
international credit transfers, electronic transfers are made at enormous speed 
once they have been set in motion and so the ability to revoke an order once 
action has been taken to process is very limited [35]. Therefore, after lengthy 
discussion and negotiation [36], the originator’s right of countermanding the 
payment order has been restricted within a very small scope. On this point, the 
Model Law stipulates that, 


“a payment order may not be revoked by the sender unless the re- 
vocation order is received by a receiving bank other than the 
beneficiary’s bank at a time and in a manner sufficient to afford 
the receiving bank a reasonable opportunity to act before the later 
of the actual time of execution and the beginning of the day on 
which the payment order ought to have been executed” [37], 


This provision stipulates therefore that a payment order may be revoked before 
it reaches the beneficiary’s bank. The Model Law further stipulates that, 


“A payment order may not be revoked by the sender unless the 
revocation order is received by the beneficiary’s bank at a time 
and in a manner sufficient to afford the bank a reasonable op- 
portunity to act before the later of the time the credit transfer is 
completed and the beginning of the day when the funds are to be 
placed at the disposal of the beneficiary [38]”. 

This provision explains when a payment order may be revoked even after it 


reaches the beneficiary’s bank.Nevertheless, the Model Law also opened the 
566 


revocation issue to private agreements between relevant parties. Art. 12 (3) 
says: 


“the sender and the receiving bank may agree that payment 
orders issued by the sender to the receiving bank are to be 
irrevocable or that a revocation order is effective only if it is 
received earlier than the time specified in the above cited two 
paragraphs”. 


When it comes to bank reversal, the rules of bank reversal are also co- 
vered by Art. 12 (1), (2), and (3), no matter what reasons for the bank reversal. 
This is because the mechanism through which a payment instruction is coun- 
termanded, once it has left the control of the originator’s bank, is through bank 
reversal. The time limits for countermand in Art. 12 (1), (2), and (3) of Model 
Law are thus also the time limits for bank reversal. 

The author recommends Chinese lawmakers to adopt the approaches 
suggested by the Model Law, because, unlike the UK and US, which have 
already established a comprehensive and sophisticated legal system for 
international credit transfers [39], China is in a position of zero start in 
regulation of international credit transfers. There is no high cost for China to 
abandon an old law, and to replace it with a new one. The easiest thing is to 
follow the prevailing international banking practice and to get involved in the 
global large value payment market efficiently. 

Meanwhile, although the revocation rules in the Model Law are different 
from the revocation rules of China’ domestic large value credit transfer 
currently in use [40], there will not be any conflict, because the targeted 
applicable markets (domestic and cross-border) are not overlapping with each 
other. 


Conclusion 


Finality rules for international large value credit transfers in China can be 
divided into four aspects for the clarity of examination, and hard law (statutes 
and international conventions) and soft law (private agreements and internal 
rules of payment systems) should be comprehensively and flexibly applied to 
facilitate the operation of transactions. Critically adopting the approaches in 
Model Law and learning banking practice from the UK and US would be a 
shortcut for China to develop faster in the international payment markets. 

Rapid changes of technology in the international payment world also 
affect the finality rules [41], and it should be a general approach for Chinese 
lawmakers to minimize the need for legislation and hard law, and turn to private 
agreements and soft law, since inflexible rules would stifle competition and 
technological progress [42]. 


567 


Notes 


[1] “Stones from other hills may serve to polish the jade "is a well-known Chinese saying, 
which means advice or suggestions from others may help one overcome one’s shortcomings 
or resolve one’s difficulties. Here, the stones refer to finality rules in UNCITRAL Model 
Law and finality rules in English law. 

[2] Thereafter, “payment instruction” has the same meaning as “payment order”. 

[3] Reed, C, Walden, I, & Edgar, I, (2000). Cross-border electronic banking: challenges 
and opportunities. 2™ ed., London, UK: Lloyd of London Press, p. 2 & 3. 

[4] This explanation was kindly suggested by the author’s supervisor, Prof. Chris Reed, 
and the whole paper has been carefully commented by Prof. Chris Reed. The author is ex- 
pressing his deep appreciation here. 

[5] Geva, B (2001). Bank Collections and Payment Transactions: a comparative legal 
analysis. Oxford, UK: Oxford University Press, p. 186. 

[6] Renminbi (literally “people’s currency”) or the Yuan is the official currency in the 
mainland of the People’s Republic of China (PRC). Retrieved June 11" 2007, see more in- 
formation @ http://www.chinadaily.com.cn/bizchina/2006-09/29/content_699307.htm 

[7] This definition and classification originally appeared in Geva, B (1992-2000). The Law 
of Electronic Funds Transfers, New York, US: Mattew Bender,§4.02., and subsequently 
followed in Hapgood, M, (1996). Paget’s Law of Banking. (11" edn.), London, UK: But- 
terworths, 272-6. 

[8] Id. at 3, p. 188. 

[9] Id. 

[10] Herstatt risk arises in foreign exchange transactions, i.e. where two currencies are 
traded. The transaction involves the exchange of two credit transfers, one in each currency, 
between two banks. Each transfer is made on the same day as determined by the underlying 
foreign exchange contract made between the banks. In theory, each delivery obligation is 
concurrent, but in practice there may be a time delay between the two transfers as each one 
is carried out separately. This time delay means that a bank which has completed its transfer 
of funds runs the risk that its counterparty may fail to complete its side of the bargain. The 
risk is known as “Herstatt risk” following the collapse of the German bank Bankhaus ID 
Herstatt KGaA in June 1974. 

The explanation of Herstatt risk is given by Brindle, M & Cox, R, (ed.), (2004). Law of 
Bank Payments. (3 ed.), London, UK: Sweet & Maxwell, p. 64. 

[11] Id. p. 58. 

[12] Jack, R, (1989). Banking Services: Law and Practice Report by the Review Committee. 
London, UK: Her Majesty’s Stationery Office, at 107, around n. 6 and more in general, 
throughout Ch. 12. 

[13] Cranston, R “Law of International Transfers in England”. In Hadding, W & Schnei- 
der, U (1993) (eds.), Legal Issues in International Credit Transfers. (p. 228). Berlin, Ger- 
many: Duncker & Hamblot. 

[14] Id. at 5, p. 270. 

[15] Id. at 5, p. 272. 

[16] Id. at 5, p. 271. 

[17] Wood, P, (1995). Comparative Financial Law. London, UK: Sweet & Maxwell, 28-1. 
[18] Art. 19 (1), UNCITRAL Model Law on International Credit Transfers. 

[19] Liu Y, (2001). Legal issues research on electronic funds transfers. Beijing, China: Law 
Press China, p. 336. 

[20] This argument is suggested by “International Credit Transfers: major issues to be con- 
sidered by the working group” UNCITRAL Doc. (A/CN. 9 /WG. IV/Wp. 42), para. 35. 
(not available on the UNCITRAL’s official website). 


568 


[21] Id. at 19. p. 356. 

[22] UNCITRAL working group on international payments, “Draft model rules on elec- 
tronic funds transfers” (A/CN. 9/WG. IV/WP. 39), p. 88. Retrieved on March 27%, 2007 
@ http://www.uncitral.org/pdf/english/yearbooks/yb-1989-e/vol20-p88-102-e.pdf. 

[23] UNCITRAL working group on international payments, compilation of comments by 
governments and international organizations (A/CN. 9/347 and Add. 1), p. 107. Re- 
trieved on March 27%, 2007 @ http://www.uncitral.org/pdf/english/yearbooks/yb-1991- 
e/vol22-p102-144-e.pdf. 

[24] Id., p. 125. 

[25] Because the author does not read German, therefore, the legal ideas from German 
jurists were learnt from either its Chinese version or English version. Wang, Z, (2001). 
General principles of civil law. Beijing, China: China University of Political Science and 
Law Press, p. 262. 

[26] Id. at p. 270. 

[27] Id. at p. 262. 

[28] China’s payment systems consist of China National Advanced Payment Systems 
(CNAPS) (the most important system), regional (cities and counties) payment systems 
(LCHS), and commercial banks’ intra-bank payment systems. CNAPS is the main body 
responsible for large value Renminbi electronic funds transfers. Retrieved on June 2", 
2007. See more CNAPS information @ http://www.pbe.gov.cn/zhifutixi/zhifuging- 
suanxitong/zhifuxitong/ 

[29] In article 19 of the Model Law, the Commission only suggested the following text for 
States that might wish to adopt it: 

“If a credit transfer was for the purpose of discharging an obligation of the originator to the 
beneficiary that can be discharged by credit transfer to the account indicated by the 
originator, the obligation is discharged when the beneficiary’s bank accepts the payment 
order and to the extent that it would be discharged by payment of the same amount in cash.” 
[30] A third possibility that availability of funds is not equivalent to access to funds, in 
English law, is that a bank may be estopped from denying access to an account, having 
represented to the beneficiary that funds are available, even though in fact they are not. For 
estoppel to arise, however, the beneficiary must have relied somehow on the representation. 
In Chinese law, however, there is no such kind of estoppel principle. 

[31] Gibson v. Minet (1824) 130 E. R. 206. 

[32] Warlow v. Harrison (1859) 120 E. R. 920. 

[33] Astro Amo Compania Naviera S. A. v. Elf Union S. A. (The “Zographia M”) [1976] 2 
Lloyd’s L. R. 382. 

[34] Id. at 13, p. 233. 

[35] Id. at 17, 28-2. 

[36] The discussion can be read in UNCITRAL documents, U. N. Doc. A/CN. 9/WG. 
IV/Wp. 39, Art. 8. Retrieved on June 1*, 2007 @ http://www.uncitral.org/pdf/english/year- 
books/yb-1989-e/vol20-p88-102-e.pdf. 

[37] Art. 12 (1), UNCITRAL Model Law on International Credit Transfers. 

[38] Art. 12 (2), UNCITRAL Model Law on International Credit Transfers. 

[39] In the UK, Cross-Border Credit Transfers Regulations 1999 and case law, e.g. Momm 
v. Barclays Bank International Ltd [1977] and Libyan Arab Foreign Bank v. Manufactur- 
ers Hanover Trust Co. [1989], constitute the backbone of the law of international credit 
transfers. In the US, Uniform Commercial Code Article 4A, Federal Reserve Regulation J 
and case law, e.g. Delbrueck & Co v. Manufacturers Hanover Trust Co. [1979], constitute 
the legal framework of international credit transfers. 

[40] China’s domestic revocation rules stipulated by “Measures on domestic large value 
payment system (trial) are: 


569 


Article 23, a payment transaction, initiated by originator’s bank or chartered participant, can 
be cancelled by sending cancellation request to the large value payment system. National 
Process Centre (NPC) bears the responsibility to cancel the payment immediately as long 
as the fund has not been cleared yet; once it has been cleared, no cancellation applies any 
more. and Article 24, a payment withdrawal request has to be sent to the large value 
payment system. The receiving bank bears the responsibility to reverse the fund as long as 
the beneficiary’s bank account has not been credited. If the beneficiary’s bank account has 
been credited already, the originator’s bank needs to inform both originator and beneficiary 
to negotiate and reach an agreement if the withdrawal request was initiated by the 
originator; on condition that the withdrawal request was initiated by the originator’s bank, 
then such agreement shall be made between the originator’s bank and receiving bank by 
negotiation. 

[41] UNCITRAL Legal Guide on Electronic Funds Transfers, p. 82. 

[42] Id. at 13, p. 235. 


References 


l. Brindle, M & Cox, R, (ed.), (2004). Law of Bank Payments. (3" ed.), London, UK: 
Sweet & Maxwell. 

2. Cranston, R “Law of International Transfers in England”. In Hadding, W & Schneider, 
U (1993) (eds.), Legal Issues in International Credit Transfers. Berlin, Germany: 
Duncker & Hamblot. 

3. Geva, B (2001). Bank Collections and Payment Transactions: a comparative legal 
analysis. Oxford, UK: Oxford University Press, 

4. Geva, B (1992-2000). The Law of Electronic Funds Transfers, New York, US: Mattew 
Bender. 

5. Hapgood, M, (1996). Paget’s Law of Banking. (11" edn.), London, UK: Butterworths. 

6. Jack, R, (1989). Banking Services: Law and Practice Report by the Review Committee. 
London, UK: Her Majesty’s Stationery Office. 

7. Liu Y, (2001). Legal issues research on electronic funds transfers. Beijing, China: Law 
Press China. 

8. Reed, C, Walden, I, & Edgar, I, (2000). Cross-border electronic banking: challenges 
and opportunities. 2"4 ed., London, UK: Lloyd of London Press. 

9. Wang, Z, (2001). General principles of civil law. Beijing, China: China University of 
Political Science and Law Press. 

10. Wood, P, (1995). Comparative Financial Law. London, UK: Sweet & Maxwell. 

11. Documents prepared by UNCITRAL working group on international payments. 


570 


XBRL — the Tool for Automated Semantic Readability of 
Electronic Financial Statements 


Ladislav MEJZLIK 
Head of Department of Financial Accounting and Auditing 
Faculty of Finance and Accounting, University of Economics Prague 
Winston Churchill Sq. 4, CZ-13067 Prague 3 — Žižkov, Czech Republic 


Imejzlik@vse.cz 


Jana ISTVANFYOVA 
Senior lecturer of Department of Financial Accounting and Auditing 
Faculty of Finance and Accounting, University of Economics Prague 
Winston Churchill Sq. 4, CZ-13067 Prague 3 — Zizkov, Czech Republic 


istvanfy@vse.cz 


Abstract: The paper deals with general questions of business 
data communication, particularly it focuses on the XBRL open data for- 
mat. The XBRL concept and taxonomy is analyzed to a grater extent as 
well as both circumstances supporting the concept and preventing it from 
its larger international use. Moreover, the structure and activities of the 
non-profit XBRL International association is described, together with a 
report on an XBRL implementation process carried out in the USA, EU 
and the Czech Republic. Finally a brief list of possible XBRL imple- 
mentation impacts on financial reporting issues is discussed, mainly on- 
line reporting and continuous auditing is surveyed. 


Keywords: Financial Accounting, Accounting Information System (AIS), Extended 
Business Reporting Language (XBRL), Business Reporting on the Internet, Interna- 
tional Financial Reporting Standards (IFRS), Electronic Data Interchange (EDI) 
Note: This paper was prepared in the framework of the research plan Development of 
Accounting and Financial Theory and its Application in Practice from Interdiscipli- 
nary Point of View (registered number MSM 6138439903). 


1. New requirements on corporate data communication 


With the proliferation of computers, an interesting paradox occurred and still 
occurs. The dynamic development of computers caused the increase of data in 
growing number of fields being processed by information technology; how- 
ever the methods of data transfer between particular subjects, participating on 
processing and use of the processed data, did not follow this rapid develop- 
ment. The computer systems’ integration was very intensive within organiza- 
tions, but did not reach the desired level especially in cases, where effective 
agreement on formats of transferred data between the subjects could not be 


571 


reached. Such an agreement is relatively simple between two contractual par- 
ties (Supplier — Customer), but is difficult in a Corporation — Investors rela- 
tionship. Globalization of the Economy rather worsened the situation. The 
result is a reality, where the communication between computers is paradoxi- 
cally frequently provided by a man. 

In its simplest form, the communication can look like the following: 
data processed by the company by the means of the latest corporate financial 
system are presented on the Internet (e.g. financial statements in the Annual Re- 
port), but to a very sophisticated software of a financial analyst, or a stock bro- 
ker the information is entered manually by copying it from one window of an 
Internet Browser or MS Excel into another window of the analytic software, 
manually by a relatively highly qualified operator, necessary to determine, 
which information form which line of the Company’s financial statement be- 
long to which entry field of the analytic software. Data transfer by this method 
concerns, according to statistical assessment, millions of data worldwide, con- 
suming tremendous amounts of labour of qualified personnel with dispropor- 
tional risk of non-systemic errors, representing in the end effect high financial 
costs and risks. 

Various initiatives are attempting to solve the above described condi- 
tion since the seventies of the last century, creating agreed consistent data for- 
mats, intended for information exchange between subjects, which accept and 
implement these formats into their information systems to be able to create and 
receive data in the prescribed format. Such Electronic Data Interchange — EDI 
systems achieved in certain areas and under certain conditions a high efficiency 
[1]. Systems of agreed fixed data structures are used e.g. between store chains 
and their suppliers, automobile makers and their subcontractors etc. In all such 
cases the informal power of one of the parties to enforce the utilization of such 
fixed format and the agreement of the other parties of “agreement” are im- 
pliedly expected. 

What kind of approach, however, should be applied in cases, when 
processors submit information in a variable structure for recipients they don’t 
know, in large numbers, and who are spread across the world in different lan- 
guage, technological and regulation environment? Corporate financial state- 
ments, submitted for use on capital markets, are a typical example. The 
financial statements can be regulated according to the content of their separate 
items, but cannot be regulated as to their formal form (unified balance sheet 
form with numbered lines and a checksum at the end, as we used to know it in 
CR in the past, cannot be expected in the international environment). It is also 
impossible to perceive who, into what type of computer systems and what kind 
of data for the financial statements will enter. The information with identical 


572 


content can be found in financial statements of different companies in differ- 
ent places, under different names in different languages and currencies, how- 
ever it is desirable to be able to load the information into different software of 
the information user. The New York Stock Exchange publicly trades securities 
of app. 15 thousand corporations worldwide [2], submitting its quarterly fi- 
nancial statements and other supplementary data, processed in the investors’ 
computer systems and by other users worldwide; the situation is similar on all 
major stock exchanges of the World. The probability of use of such informa- 
tion by users on an international scale is increased by the advancing global- 
ization of the financial markets and the economy as well. 

The described situation creates a demand for solution, enabling to struc- 
ture formally unstructured data and to tag them according to their meaning, so 
it can be read by other computer systems without the need of agreement on a 
fixed format between the participating subjects. The real chance for effective 
solution of the described issue is offered by languages based on marking par- 
ticular parts of the data files according to its meaning (semantics), based on 
open format, designated as XML (eXtended Mark-up Language). 

The XML language is a general solution of mark-up of random data and 
ahs in its principle nothing in common with any field of human activity. Its use 
is therefore independent and possible for any purpose. One of the emerging 
areas of XML language application if the communication of corporate data, 
leading to creation of specifically designed superstructure of the XML lan- 
guage, called XBRL (eXtended Business Reporting Language). 


2. XBRL Project 
2.1 The XBRL Substance 


Imagine we want to find out the amount of fixed assets of IBM Corporation. 
It is sensible to expect the information is published somewhere on the Internet 
and the efficient tool to search for it could be for example, the Google search 
engine. We can expect the information to be in English, so we enter “IBM fixed 
assets” into the search field. The 0.42 second search brings up 1,950,000 links, 
from which not even the first ones offer a relevant link to the information we 
are looking for, even though the search engine uses highly sophisticated algo- 
rithms and the meaning of the entered expression is, for most people, easily un- 
derstood [see Figure 1]. Majority of the result information does not have 
anything in common with the information sought after (the amount of fixed 
assets) and links lead to offers of software for recording the fixed assets or 
means of financing them. 


573 





What is the cause of this failure? The information on the www pages are 
presented in the HTML [3] language, whose primary goal is to ensure correct 
display of data on the page, but it does not deal with the meaning of the con- 
tent of the displayed data, therefore it does not make the semantic search for 
data on the Internet any easier. XML, on the other hand, does not deal with the 
formal look of the information (its display), but with the meaning. Even though 
both are Mark-up Languages, using tags to mark parts of the data, the utiliza- 
tion of the tags is principally different. 

XBRL is a specialized superstructure of the XML, designed for inter- 
change of corporate data. It is not a new bookkeeping standard, because it 
does not provide the regulation of the content of the transferred data, but only 
its readability in the electronic form. The above mentioned regulation of such 
data in global communication of corporate data is, of course, a necessary con- 
dition of the availability of the submitted information, but it is ensured by other 
standards — e.g. International Financial Reporting Standards (IFRS), published 
by the International Accounting Standards Board (IASB) [4] etc. XBRL there- 
fore only expands the possibility and efficiency of distribution and ensures the 
meaning readability of accounting information in transfer between different 
computer systems. 

From the above description it is obvious the regulation of the content 
and the meaningful readability are inseparably connected and are condition 
and support of one another. The readability of the meaning will not be utilized, 
until the transferred data are regulated according to the content and standards, 
ensuring the content regulation, will be accepted more intensively and sup- 
ported by a global meaning readability of the transferred data as well. 

The target vision for the future is that the data of the financial statements 
assembled according to IFRS are presented in XBRL, guaranteeing the com- 
parability of the contents of the published data, as well as the interpretation of 
the meaning by a random computer system of the user, regardless of what com- 
puter system of the translator created them, on global scale. 


2.2 Taxonomy 


Creation of taxonomy — for a particular purpose — is the basic condition of ef- 
ficient use of XBRL in a specific case. The taxonomy can be seen as a sort of 
catalogue of data elements (data vocabulary), that can appear in a given field 
of XBRL application and which ensures a score of information for each of the 
existing elements as verbal description, regulation rules, calculation relations 
to other elements etc. [see Figure 2]. 

These data catalogues (taxonomies) have to be created by somebody in 
the first place and only then can it be used by application programs for tag- 


574 


ging of the transferred data on the side of the translator, while on the other end 
of the recipient they can be, using the taxonomy, read by their meaning and en- 
tered into the user’s application program. 

Because the XBRL which is based on XML, is an open format, the tax- 
onomy can be created by any institution or organization, with sufficient pro- 
fessional and technical prerequisites, but also with prerequisites of a sufficient 
authority to enforce the created taxonomy. The created taxonomies can be fur- 
ther developed by the original author or according to individual needs of par- 
ticular users and translators as well, by simply adding further elements, 
necessary for proper tagging of the meaning of the presented data. 


XBRL International 


The XBRL creator and propagator worldwide is the non-profit organization 
XBRL International. This organization, based in New York, has been founded 
in 1998 by 13 founding members, while the fundamental initiator of the foun- 
dation was the American Institute of Certified Public Accountants (AICPA). In 
2002 XBRL International entered the international arena already with 140 
members; currently there are more than 300 organizations worldwide. 

The principle of the XBRL International operation is based on basic in- 
dividual jurisdictions in individual countries, working also on a non-profit basis 
and with national members helping to propagate XBRL especially by creation 
of the taxonomy and by implementation of XBRL in various fields of possible 
use. Particular national jurisdictions have to go through defined stages of prepa- 
ration and final approval, in order to reach the full member status in XBRL In- 
ternational, gaining the right to participate on the work and managements of 
XBRL International [6] at the same time. 

The cooperation with International Accounting Standards Board (IASB) 
is an important milestone in the history of XBRL International in creating the 
taxonomy for financial statements according to IFRS. The taxonomy has been 
published for the first time in 2002 [7]. The cooperation of IASB and XBRL 
International continues in mutual symbiosis. IASB use XBRL for higher sup- 
port o f the use of IFRS and XBRL also uses the advantages of IFBRS for its 
wider propagation. The result is, aside from the taxonomy for financial state- 
ments according to IFRS, the taxonomy for general use in publishing the cor- 
porate data, created in cooperation of XBRL International and IASB. The 
taxonomy is available to the public free of charge — its use is welcome and rec- 
ommended by both institutions. The cooperation between both institutions is 
supported by their close personal connection. 


575 


2.4 The prerequisites of XBRL application in practice 


Despite all the advantages of XBRL, described above, and even though there 
is an objective demand for such solution of corporate data interchange, the 
propagation of XBRL in practice is neither automatic nor simple. 

Lets’ analyze at least the major factors, supporting and preventing the 
propagation of XBRL: 





Positive Factors: Negative Factors: 






































@ XBRL Application brings considerable sav- 
ings on the side of the users of information, 
who are able to receive data automatically into 
their systems from various translators in dif- 
ferent structures and forms, without the need 
of agreement on a fixed data structure. 


e Application of the XBRL demands existence 
of a software on the side of the translator, as 
well as on the side of the receiver, featuring 
functions for processing data in XBRL format. 
This expectation is hardly always met. The lat- 
est version of programs of the MS Office pack- 
age are ready to process data in the XML 
format (this in XBRL as well) and Microsoft 
Corporation is among the leading propagators 
of XBRL. Propagation of these versions of pro- 
grams is bound to the innovation cycle of the 
software and to financial abilities of the com- 
panies, to upgrade such software. 


@ From the long term point of view the savings 
are achieved on the side of information trans- 
lators as well, because their systems are, after 
the implementation of XBRL, able to react 
more flexibly to the changing internal and ex- 
ternal conditions. Furthermore every data 
translator is in a certain way a user of the data 
as well, his system, after XBRL implementa- 
tion, will be able not only to create data in 
XBRL, but also able to read them. 


@ XBRL implementation into standard pro- 
grams, such as Word or Excel, is not enough; 
the ability to work with XBRL is needed directly 
at the information systems of companies and 
è XBRL implementation enables creation of | users’ application programs. 
outputs on the side of the translator that can 
be used multiple times by different users for 
different (even changing) needs, without the 
need to modify them individually. XBRL data 
create the only interface between the systems 
of the translator and the user. 


@ Score of SW producers uses for exchange 
of data their own proprietary formats, working 
well between programs from one producer, 
with considerable investments made for their 
development and purchase, so the transition 
to XBRL is not so obvious. 

© XBRL can be used not only for external re- 
porting, but also for data transfer between dif- 
ferent parts of the information system within 
an organization. 





e XBRL, enabling trouble free exchange of 
data between program systems of different 
manufacturers, paradoxically endangers their 
commercial policy and the interest not to allow 
products of other manufacturers to their 
clients. œ>. 


@ XBRL breaks the boundaries between vari- 
ous computer platforms, operation systems 
and languages. 

@ The benefit from the use of XBRL is usually 
larger on the side of thé user, who has no 
power to formally demand the use of XBRL by 
the translator, who bears most of the XBRL im- 
plementation costs 


@ Through the implicit feature of the taxonomy 
the application of XBRL enables increase of 
quality of the translated data, because the el- 
ementary control of ties between data is en- 
sure, automatic references to regulation rules 
are provided etc. 


è Data in XBRL can be restructured in the 
user’s system more easily, translated into an- 
other language, different currency or different 
content regulating rules, because the mean- 
ing of each element of the transferred data is 
known. 











576 


The regulating bodies, in whose competence the setting of rules for pub- 
lication of corporate data falls, have the critical influence in propagation of 
XBRL. Among them are the Securities Board, Central banks and banks in gen- 
eral, statistical bodies, governments and governmental agencies, supervisory 
bodies and inspection authorities etc. These authorities have the formal power 
to set rules for reporting of corporate data by the means of regulations, they 
issue within their competence, and thus are able to demand the use of XBRL. 

Unfortunately the decision making of the above mentioned institutions 
is conservative, subject to various, even irrational influences and many times 
unpredictable and inflexible. However, there are exceptions to this pessimistic 
assessment. 


3. Conclusion — impacts of use of the electronic data ex- 
change on the accounting reporting and audit conception — 
new trends 


The use of XBRL for communication of the corporate data, especially finan- 
cial statements of companies, has impact not only on increase of efficiency of 
the exchange of such information, but it can also have an influence of a con- 
ceptual character on the entire structure of the accounting reporting and veri- 
fication of data in the financial statements. 

By the use of contemporary corporate information systems, open data 
formats and the Internet as the means of communication, the computer sys- 
tems of the accounting information translators and their users can be connected 
on-line. Each accounting operation in immediately processed by the translator’s 
system and converted into the XBRL statements, presented on the Internet, so 
they can be used on-line by the computer system of the user, who can react to 
the reported data himself or automatically. This organization of accounting in- 
formation reporting breaks the current paradigm of financial statement pre- 
pared always with a given deadline after the end of a certain period, and creates 
the new term of “on-line reporting”. The described technical possibilities are 
one side of the issue and there are, of course, issues of the content and limita- 
tions of such solution. 

Any advancement for the traditional reporting for a period towards on- 
line reporting, and partially even the use of XBRL for traditional information 
for period may mean the change in the conception of accounting information 
audit. The Auditor will have to put a stronger accent on verification of the in- 
ternal verification system during planning and implementation of the audit, 
and verification of tests, built into the translator’s information system. The 
focus of his work will thus shift from the verification of material correctness 


577 


of the particular operations to the verification of the reliability of the system for 
processing them, i.e. in testing of the hypothesis, the reliable system cannot 
produce incorrect result with acceptable risk. Such verification of the reliabil- 
ity of the data processing system will not be possible to perform on a one-time 
basis after the end of the accounting period upon the presentation of the audi- 
tor’s finding on the statement, but it should take the form of continuous mon- 
itoring of the system- its reliability and changes made in its setting and 
operation. It could be expressed by a permanent statement of the auditor on 
the reliability of the system as such and not on the financial statement — creat- 
ing another new term “continuous auditing”. 

The possibilities and limitations of on-line reporting a continuous au- 
diting are, however, an individual area related to the subject of this contribu- 
tion only indirectly; their implement ability will be evident in the future. 


Notes 


[1] The initiative in this field reached the level of UN and a well known example is the UN 
EDIFACT system; in Czech Republic there is a commercial system EDITEL being used etc. 
[2]Tokyo Stock Exchange is now the leader, according to the number of traded corporations, 
ahead of New York Stock Exchange, and beside this and traditional European Stock Ex- 
changes, other Asian Exchanges are rapidly developing. 

[3] Hypertext Markup Language 

[5] International Financial Reporting Standard published by International Accounting Stan- 
dards Board, see www.iasb.org 

[6] Detailed information on the organizational structure, principles of operation and man- 
agement, professional boards and basic jurisdiction can be found on XBRL International 


web pages at http://www.xbrlorg 
[7] See http://www.iasb.org/resources/xbrl.asp 


578 





Appendix 


Figure 1 





fixed assets of IBM:- Vyhledat Googlem - Opera 




















i i e E] retein, google 2isearchrh=cstgefixed assets ofr IEMabtiG=Hedatelr= ils 
Web Ob Se e deter 


Google (fixed assets of IBM kai aetna 











@ Prohledat Web © ‘Stranky pouze česky. 








Web 
Tip: Hièdät påuzë výsledky said čëský. Na strénicé Nastavenf mizete uréit: svij jazyk hledani. 


Wysledkiy 1 10 z.asi 1950 000 via dotaz fixed asse! 





é:eniginsering the customer relationship: leveraging ... -Massey Počet citaci tohot článku: 44 
First-Mover Advantages + Lieberman - Počet citací tohoto článku: 741 ie: aes 
Profiting from technological innovation: implications... - Teece - Potet citací tohoto článku: 1715 


IBM Global Solutions: Directory 

Solution descripticn;, Fixed Assets software fo ihe IBM iSeries™ (BM AS400@). Solution’ 
web page, This link will launch ridary browser ... 

woew-304:ibm. com/jct09002c/gsdou/ Visplaysolutiondetails. do?solutiontd=3687 &lc=en - Ak- 
Atchi - Podobné: stránky 


pori Enhance the:performance:and reliability of your critical ... 

Format souboru: PDF/Adobe Acrobat -Zobrazit jako HTML ote 

critical transportation assèts with IBM Maxirrio. for Transportation. Highlights ... Fixed assets, 
including. buildings, maintenance. facilities and stations... ~ mca 

wow-03, ibm, confindustries/travel/docf content/binftrave!_mro_002_trans_brochure_10_14:pdf 


- Podobná stranky 


Fixed Asset Scanjiifid: Implenientation Abstract - UnixReview-com s 

Results for keyword: Fixed Asset Scanning implementation Abstract .... Catalog provides: 
access to hundreds. of reusable. assets from IBM. Software Group. «+. i S 
whitepaper uniireview. com/...? Fixed%20Asset%20Scanining%20lmplementation%2Q0Abstract 
- Podabné stránky 








Com. ources on TechRepublic i 
| Tags: Databases; digital asset management, IBM Corp. ; content:management, ..« perfect 
Ls i Sa aa ats (i cinerea ee 











Figure 2 


Contexts 





Element f Calculation 
(schema) 














Legal and Ethical Implications of GPS Vulnerabilities 


Muhammad Usman Iqbal! and Samsung Lim’ 
PhD Candidate!, Senior Lecturer? 
School of Surveying and Spatial Information Systems 
The University of New South Wales 


m.iqbal@student.unsw.edu.au', s.lim@student.unsw.edu.au” 





Abstract. The Global Positioning System (GPS) has slowly per- 
meated into the civilian community and has become an essential acces- 
sory for the modern individual. Various commercial applications heavily 
rely on GPS technology. GPS has also started receiving attention in court 
cases, where it has been admissible as evidence leading to convictions 
or proving innocence. However, GPS is a radio-navigation system and 
is prone to vulnerabilities that may be introduced intentionally or unin- 
tentionally. The legal literature has not debated the possibility of human 
alteration of GPS data in judicial reasoning which raises the prospect of 
forged GPS data being presented to courts by individuals who have the 
motive and the technical knowledge to do so. By exposing the weak- 
nesses present, this paper aims to draw the attention of the legal frater- 
nity to these issues which may put the legal system in a dilemma as 
over-reliance on GPS technology may produce disastrous results, espe- 
cially when innocence or guilt largely depends on GPS evidence. 


Keywords: Global Positioning System (GPS), Vulnerabilities, Court Cases, Privacy, 
Surveillance, Tracking, Legal, Mobility-Pricing 


Introduction 


The Global Positioning System (GPS) is a space-based radio-navigation sys- 
tem using a constellation of satellites (currently 31) and provides precise po- 
sition, velocity and timing information to receivers on the ground that can 
obtain the signals of four or more satellites simultaneously (FRaP, 1999). Pri- 
marily designed for military applications, it has recently seen widespread adop- 
tion by the civilian community with an explosive growth in the number of users 
and applications of this technology. Part of this demand stems from the changes 
prompted by GPS in the way some industries operate, from construction to 
emergency services. In fact, GPS is invading all walks of life, from personal 
navigation in cars and emergency location services for mobile phone users, to 
location-based charging systems such as GPS-enabled vehicle insurance and 
friend-finder services (Iqbal & Lim, 2006; Grush, 2005; Vidales & Stajano, 
2002; Zhang, Wang, & Hackbarth, 2003). 


581 


GPS devices have become pocket-sized, battery operated and commer- 
cially available at nominal costs. They are also being embedded into mobile 
phones, digital cameras, Personal Digital Assistants (PDAs) and watches. This 
ubiquity of location-determination devices enables tracking and monitoring of 
individuals by governmental entities, private entities and individuals which 
raises profound ethical, policy and legal issues for the society. In recent years, 
the legal system has encountered various cases involving the use of GPS either 
as evidence collected through surveillance by Law Enforcement Agencies 
(LEAs), or as a tool for invasion of privacy of individuals in the workplace or 
private lives. While GPS data has been used to indict and convict individuals 
for suspicious criminal activity, individuals have also presented GPS data to 
prove their innocence (ABC News, 2007a; ABC News, 2007b). In the United 
States, courts have debated whether surreptitious installation of GPS-tracking 
devices amounts to ‘search’ or ‘seizure’ requiring a warrant under the 4th 
Amendment. Most of these debates have revolved around the notion whether 
GPS tracking can be an invasion of privacy of individuals; however, there have 
been minimal discussions about the accuracy of this GPS data in legal con- 
texts and virtually no mention of the vulnerabilities of GPS data as a result of 
malicious human intervention in judicial reasoning. 

GPS is a radio-navigation system and is prone to certain vulnerabilities 
that may be either intentional or unintentional. This paper comprises of two 
experiments to highlight two weaknesses of GPS systems which may be in- 
troduced intentionally, specifically, malicious editing of GPS data, and spoof- 
ing of GPS signals, which means transmission of GPS-like fake signals with 
false positional data. These issues raise the prospect of forged GPS data being 
presented to courts by individuals who have the motive and the technical 
knowledge in an effort to inflict harm, to defame or to exonerate a person of 
criminal charges. By exposing the weaknesses present, this paper aims to draw 
the attention of the legal fraternity to these issues which may put the legal sys- 
tem in a dilemma where over-reliance on GPS technology in judicial settings 
may produce disastrous results, especially when innocence or guilt largely de- 
pends on GPS evidence. Therefore, it is imperative for legislators to acknowl- 
edge and address this problem. 

Before delving into the experiments that expose weaknesses of GPS re- 
ceivers, it would be worthwhile to review some legal and commercial scenar- 
ios where GPS is actively being used. 


582 


Background 
2.1 Legal Scenarios 


The United States constitution’s fourth amendment protects the right of peo- 
ple to be secure in their persons, houses, papers, and effects against unreason- 
able searches and seizures (Kilman & George, 2000). The fourth amendment 
test has been applied in various cases to decide whether privacy rights of indi- 
viduals were violated. The Supreme Court case that comes closest to the use 
of GPS tracking is United States vs. Knotts (1983), involving a “beeper’- a bat- 
tery operated Radio Frequency (RF) transmitter, which was attached to a chlo- 
roform container that the defendant had purchased and loaded in his car. The 
police followed the defendant by a combination of visual surveillance and the 
use of the beeper to locate the defendant’s rural cabin which turned out to be 
a drugs laboratory. Although a search warrant was obtained to enter the prem- 
ises, the court held that monitoring the vehicle while it was on public roads 
without a warrant was permissible because the defendant had no reasonable 
expectation of privacy when in public. According to the court, the beeper was 
merely an augmentation to the sensory faculties bestowed upon the police of- 
ficials at birth and was analogous to using a pair of binoculars while conduct- 
ing visual surveillance. 

The United States vs. Garcia (2007) case is a more recent one and di- 
rectly involves the use of GPS data for surveillance of suspected criminal ac- 
tivity and largely draws from the Knotts case. The police were tipped off by an 
informant that the defendant, who was recently released from prison for 
methamphetamine offences, had mentioned to him that he intended to produce 
meth again. The police located the defendant’s vehicle on a public street where 
it was parked and installed a GPS memory tracking unit under the rear bumper. 
After a few days, when the device was removed, the police were able to learn 
the car’s travel history since installation which led them to a tract of land that 
the defendant frequented and contained equipment and ingredients to produce 
meth. The defendant was arrested and charged with drug offences. The defen- 
dant contested to suppress this evidence as a fruit of an unconstitutional search 
because a warrant was not obtained before installing this tracking device. The 
7th Circuit Court of Appeals concluded that installation of the GPS tracking de- 
vice neither constituted seizure nor search because the device did not interfere 
with the driving qualities of the vehicle and was analogous to a police officer 
following the vehicle. However, the court did acknowledge that there was a 
practical difference between following a vehicle and using GPS devices. 

The cases discussed above involved surreptitious installation of tracking 
devices by law enforcement officials. Another extraordinary case that has re- 


583 


cently come to light involved the use of a GPS tracking device by a suspicious 
wife in her husband’s vehicle (Finz & Taylor, 2004). The data obtained from 
the tracking device led to filing of murder charges by the police in the death of 
the couple’s twelve year old baby-sitter. The device was placed by the wife in 
her husband’s truck a few days earlier because she suspected him of having an 
affair. The husband told the police that he went to drop the baby-sitter to her 
home when they took a detour to show her some horses, then accidentally ran 
her over as he turned his truck around on a rural road in central New York. He 
was initially charged with a felony count of reckless endangerment, but based 
on data obtained from the GPS unit the charges were raised to second degree 
murder as data revealed that the defendant did not take the girl to see horses at 
all. Instead, he drove around other roads and spent more than three hours with 
her behind an abandoned home. Police believed that the girl had gotten away 
from him when he drove over her. At the time of writing this paper, this case 
awaits a decision, but proves that GPS data was the major evidence for indict- 
ment. 

There has also been a trend to track and locate parolees, and sex-of- 
fenders using electronic means. GPS has become the technology of choice for 
implementing this. At least twenty-three states in the United States use GPS 
tracking of convicted sex-offenders and some states are even using GPS track- 
ing as an inexpensive transition program for low-risk offenders in order to 
make more room in the crowded prisons (Mohan, 2006). Usually worn as an 
anklet or bracelet by the parolee, GPS tracking has proven to be a powerful 
tool in strengthening the monitoring of high-risk offenders (Newschanel.com, 
2007). From real-time and retrospective monitoring of the subject’s locations, 
movement patterns can be developed, and unusual activity may be predicted 
(Iqbal & Lim, 2007). Additionally, by augmenting the tracking device with ad- 
ditional sensors, future models of these bracelets would also be capable to sense 
the presence of drugs and alcohol and transmit this information to a monitor- 
ing facility in near real-time (QuestGuard, 2007). This careful effort to weave 
ex-offenders into the fabric of society requires monitoring, but does it violate 
the privacy rights and would it motivate them to tamper with these devices is 
open to debate. 

Previous cases discussed the use of GPS tracking as evidence generat- 
ing convictions, for controlled rehabilitation and ethical monitoring of high-risk 
offenders. In the context of liability offences, there have been instances where 
motorists have successfully challenged issuance of speed tickets against them 
by providing GPS data as evidence (Wainright 2007). Recently, a motorist in 
New South Wales (NSW) was fined $203 for allegedly driving at 85 km/h in 
a 60 km/h zone. The motorist challenged the fine in court and presented data 


584 


from his on-board GPS navigator which showed that he was mostly travelling 
at a speed of 57 kw/h on that particular stretch of the road, which was also cor- 
roborated by a GPS expert in court. The motorist challenged the accuracy of 
the hand-held radar guns questioning how rigorously these guns were cali- 
brated each year. The traffic officials conceded in court that they had not taken 
the readings on their radar guns for the required length of time and had simul- 
taneously relied on their experience and visual estimates. The fines were over- 
turned in the district court setting a precedent for the admissibility of GPS 
evidence in NSW. 


2.2 Commercial Scenarios 


The concept of differentiated-pricing or mobility-pricing is not a new one. It 
has been identified as a method to accurately charge road-tax or motor-insur- 
ance based on actuarial principles of costs reflecting usage (Litman, 2003). 
GPS technology makes it possible to replace traditional flat fee insurance with 
an approach where insurance premiums are charged based on mobility. There 
have been successful pilot studies conducted throughout the world that use 
GPS technology to offer actuarially accurate insurance products (Tripsense 
2007; Norwich Union 2007). In the Australian context, a recent statement by 
an NRMA (National Roads and Motorists’ Association) Insurance official 
lauded the benefits that GPS-based insurance would offer to motorists but also 
acknowledged the inherent “Big-Brother-ish” qualities that such a product 
would implicitly have (NRMA 2007). 

Another related area of significant interest is congestion-charging of 
roads in central business districts which is being employed in various juris- 
dictions in an effort to curb congestion issues during peak hours (Litman, 
2005). These systems typically utilise Automatic Number Plate Recognition 
(ANPR) technology installed around the charging zone. There is a possibility 
that these systems may be augmented or replaced by GPS-based road-charg- 
ing as this approach would curtail maintaining and expanding the ANPR in- 
frastructure, thus offering cost reductions. In the UK, where London congestion 
charging has been operational for a while, there are suggestions to give addi- 
tional discounts to motorists who opt for GPS-based charging. There are spec- 
ulations that the British government has engaged with an insurance company 
offering mobility-priced insurance in an effort to acquire GPS data of its clients 
for its own GPS-based congestion-charging research (Hytch 2007). It is un- 
clear whether this data would be exclusively used for future GPS-based con- 
gestion charging or augmenting the already pervasive surveillance of roads is 
not clear. 

With regards to workplace tracking of employees, both GPS-enabled 


585 


mobile phones and fleet vehicles equipped with GPS are being used. In the 
United States, GPS-enabled mobile phones have been employed as a solution 
to satisfy the E-911 mandate enforced by the Federal Communications Con- 
sortium (FCC) requiring locating a caller to the emergency number ‘911’ within 
300 metres (E-911, 2004). This availability has naturally drawn the attention 
of employers for work-related tracking. Employees with company-owned GPS 
mobile phones can be located by the employer by accessing a website. Simi- 
larly, vehicles used by employees for work that have GPS-based telematics 
systems can be used to locate the vehicle. For instance, taxis have been 
equipped with GPS tracking for directing them to customers in minimum time 
(Karni, 2007). GPS data has also been used to maintain electronic travel logs 
for accounting and tax related purposes when using the vehicle for work. While 
there are advantages of improving productivity and reducing response times 
using tracking technology, there are potential privacy issues that need redress. 


Research Motivation 


The previous section reviewed scenarios from the legal as well as the com- 
mercial sector where GPS technology played a significant role. The situations 
discussed may motivate a person to tamper with or erroneously edit the GPS 
data contents in order to evade criminal charges, avoid financial liability, cheat 
mobility-pricing systems, provide false GPS alibis, escape speeding fines, 
frame another person of committing a crime, or simply misinform employers 
of their whereabouts. These motivations are significant enough to warrant a 
critical assessment of GPS vulnerabilities to intentional interference. 

The Volpe report (Volpe, 2001) summarises these vulnerabilities rang- 
ing from ionospheric interference and Radio Frequency (RE) interference in- 
cluding television broadcasts and VHF interferences in the unintentional 
disruptions to jamming, spoofing and meaconing of GPS data in intentional 
disruptions. The Ionosphere surrounding the earth at approximately 350 kms 
away refracts GPS signals transmitted from the satellite introducing certain er- 
rors in the position solution. Likewise, RF interference from TV and VHF 
transmitters may interfere with GPS receivers at ground level. J amming, as the 
name suggests means emission of radio signals of sufficient power that pre- 
vents receivers in the target area from tracking GPS signals. Meaconing is the 
reception, delay and rebroadcast of the radio-navigation signals to deceive the 
GPS receiver. Spoofing is a technique to deceive the receiver to lock onto le- 
gitimate-appearing false signals and make it believe that it is somewhere else. 

Another weakness in current GPS receivers open to exploitation is the 
design of storage memories where GPS data is saved. GPS devices lack any 
cryptographic protection for the tracks, routes and waypoints stored on its 


586 


memory, and a compatible software tool can be easily used to edit the posi- 
tional data. There is no method to validate, for the purpose of non-repudiation, 
that the claimed GPS positions on the storage memory were indeed generated 
as a result of the GPS receiver processing. Volpe (2001) reports that spoofing 
attacks would most likely be targeted towards individuals instead of large areas. 
Additionally, editing of GPS logs would also be likely performed by individ- 
uals on target receivers making it probable that these attacks would be launched 
by or against an individual. 

With regards to admissibility of GPS data as evidence in court, legal 
precedents have already been set as discussed earlier. Courts have regarded 
GPS technology to be ‘generally accepted and fundamentally valid’ (Fox News, 
2004) and waived any doubts about its credibility. Even in a case where a track- 
ing device installed on a murder suspect’s vehicle reported speeds of 30,00000 
mph, the data was still admitted to the court as evidence. Hugh Roddis, Chief 
Technology Officer for the Nova-Scotia-based Orion Electronics, which sold 
the GPS tracking devices to the police in this case acknowledged that GPS was 
“not exactly perfect”, but prosecution argued that inaccuracies accounted for 
only minutes as compared to days of surveillance data gathered(Finz & Tay- 
lor, 2004). 

In summary, the legal literature has not debated the possibility of human 
alteration of the data or more sophisticated attacks like spoofing. Additionally, 
no evidence has been found of any prescribed standards or practice of assess- 
ing vulnerabilities either in law enforcement environments or the commercial 
sector for the suitability of a GPS device for a specific task. This paper ques- 
tions the over-reliance on GPS data in legal proceedings and the commercial 
sector by arguing that these susceptibilities could be exploited to significantly 
or totally change the positional claims in the stored GPS data. With regards to 
spoofing, countermeasures exist, but Volpe acknowledges in his report that it 
would be unlikely that commercial receivers have these defences because of the 
costs involved in implementing them (Volpe, 2001, pp 39). Using off-the-shelf, 
commercially available GPS devices, this paper demonstrates that human abuse 
of GPS is plausible which may have drastic effects both on legal as well as 
commercial GPS uses. 


Research Study 


4.1 GPS Hardware 


Four different commercially available GPS tracking devices were used to con- 
duct the experiments, as shown in figure 1. Two of them had serial flash mem- 
ories, (figure 1: yellow and red borders) to log the GPS data on the same board 


587 


as the GPS receiver. One of the devices had a PCMCIA (or PC Card for short) 
interface to a Personal Digital Assistant (PDA) and stored National Marine 
Electronics Association (NMEA) format messages on the file system of the 
device (see figure 1:green border). The last one was a bluetooth GPS receiver 
that transmitted NMEA messages to any paired bluetooth device, e.g. a blue- 
tooth-enabled mobile phone, laptop or PDA (see figure 1: blue border). With 
the exception of one of the tracking devices, which utilised power from the 
cigarette lighter adapter of the vehicle, all other devices had batteries attached 
to the units (see figure 1: blue border). All the receivers had 12 parallel satel- 
lite tracking channels, with accuracies ranged between 15m-22m on the hori- 
zontal plane and a price tag of under $250 (USD). 


4.2 Editing GPS data 


This experiment involved editing of the GPS data and a volunteer was required 
to install the GPS devices in a vehicle to collect data. An administrative staff 
member from the school, with little technical knowledge about these devices, 
was asked to take them with him in the school’s car when he left for conduct- 
ing some work-related tasks. These devices were powered-on and were at- 
tached to the front dashboard of the vehicle using double-sided adhesive tape. 
The antennas of the GPS receivers had line-of-sight to the open sky. The vol- 
unteer brought back all the four devices after completion of the trip and re- 
ported that he had visited the bank and an office goods supplier before returning 
back to the university. 


Scenario 1: NMEA messages output to the file system: 


Two of the GPS receivers generated NMEA output, which were connected to 
a mobile phone and PDA respectively. The NMEA output was stored as a text 
file on the file system of the mobile phone and the PDA. The NMEA format 
was primarily developed as an interface between marine electronic equipment 
therefore its contents are not intelligible to humans. However, there are soft- 
ware converters available that can easily convert between NMEA and various 
other data formats (for instance GPX, KML, Shapefile, CSV), which makes 
this data comprehensible to users. Using editors for these formats, the data 
variables including positions, speed and the times can be altered and then trans- 
lated back to NMEA, and the same file can be overwritten with the edited con- 
tents. There is no method to verify that the contents of the NMEA file are 
produced as a result of the GPS receiver’s processing. 

The same technique was used to edit the contents of the NMEA files 
created as a result of the volunteer’s trip. On the return leg of the vehicle, a fake 


588 


stop-over was added, right in-front of a sports-bar (see figure 2). The data was 
edited to report that the vehicle was parked in this compound for 30 minutes 
before proceeding back to the university. When the volunteer was asked about 
these embarrassing situations which he rightly denied them, but did not have 
any answer how it may have occurred. The volunteer was then explained about 
this vulnerability and that the deception involved was not to vilify him but 
rather expose the issues. 


Scenario 2: Binary data stored on flash memory 


In this scenario, the tracking devices stored the GPS data in proprietary binary 
format on the flash memory, as shown in figure 3 without casings, which is 
harder to edit as compared to the previous receivers. These devices have a USB 
interface that connects them to a computer in order to extract the data (see fig- 
ure 3: circled red). Both these devices come with software that is used to ex- 
port data into different formats. The user interfaces provided only gave 
read-only access to the data on these tracking devices’ flash memory (see fig- 
ure 3: circled yellow). 

Further investigation of these flash memory chipsets led to the fact that 
they were general purpose serial flash memory chips and have been used in a 
range of devices, including mobile-phones. The data-sheet specifications for 
them are widely available explaining how to write binary data onto them 
(Atmel, 2005). These flash memories are not secure, and do not have any meas- 
ures to indicate if they have been tampered with. If a technically savvy person 
with basic electronics skills is able to understand the format that the manufac- 
turer used to store GPS data, it is possible to reprogram the contents of the 
flash memory using the same USB interface that is used to download the data 
to a computer. Alternatively, as the tracking devices are commercially available 
it is not hard to obtain an additional GPS receiver of the same specification 
and use it in a vehicle to create a desired route so that the flash memory has the 
required data. Then either a swap of the boards or a swap of the flash memory 
makes it possible to put different contents on the tracking device. 


4.3 Spoofing attacks 


Spoofing attack, as explained in the introduction section is a sophisticated at- 
tack on an individual GPS receiver where a transmitter is used, that sends sig- 
nals very similar or identical to what GPS satellites would be transmitting. If 
transmitted at a slightly higher power than the actual satellite signals, it is pos- 
sible that the GPS receiver would lock onto these signals and would eliminate 
the actual satellite signals as interference or noise while computing position 
solutions as shown in figure 4. - 


589 


In order to test GPS receivers, various research facilities have access to 
GPS signal generators. These simulators generate RF (Radio-Frequency) sig- 
nals for different conditions in order to test receiver algorithms’ performance 
in situations involving interference, e.g. multi-path. These signal simulators 
can be used to conduct a spoof attack on receivers as they are capable of em- 
ulating the same PRN (pseudo-range number) of the existing satellites. A 
Spirent 6560 multi-channel GPS signal generator was used to generate a high- 
gain RF signal (see figure 5). This RF signal was outputted to a re-radiator an- 
tenna on the ceiling of one of the lab rooms (see figure 6). In order to mimic 
actual vehicular movement, logged NMEA data obtained by driving a car 
equipped with a GPS receiver was brought back to the lab, which was used to 
create a scenario in the signal simulator. This means that the output obtained 
from the re-radiator antenna would make a GPS receiver believe that it is in 
motion, and the GPS receiver’s processed data can be used to verify that it ac- 
quired the spoofed signals showing that the GPS receiver followed the vehicle’s 
track. 

With the exception of the tracking device that required power from the 
cigarette lighter, all 3 GPS receivers were placed beneath the re-radiator an- 
tenna. The scenario was then run on the simulator, which sent RF signal out- 
put of the satellite signals in such a way that it represented a vehicle’s motion 
on the roads when processed on the receiver. All the three receivers processed 
the signals emitted from the signal generator and computed false positions, 
thus validating Volpe’s inference about commercial receivers’ inability to de- 
tect spoof attacks. 


Discussion 


The exercise conducted verifies the hypothesis that it is possible to tweak the 
GPS data either by physically tampering with it, or by the use of more com- 
plicated spoofed signal attacks. Although it would require adequate technical 
knowledge to perform these hacks, the possibility cannot be ruled out. This re- 
search demonstrates that GPS data can be edited to portray a different scenario, 
which may be used to substantiate that a person was not going over the speed 
limit, or was at a friend’s place at the time of a crime incident, or an employee 
for a courier company was busy with delivery of orders, whereas in reality a 
different event may have occurred. The cases and circumstances discussed in 
section 2 may act as the perfect motive tempting a person to tamper with the 
GPS devices in order to prove innocence or guilt. 

Consider the Garcia case in the light of these exposed vulnerabilities. 
Garcia was under GPS surveillance on suspicion that he had intent to produce 
meth again. The tracking device was installed under the plastic bumper of his 


590 


vehicle when it was parked on a public street. Had he known about the pres- 
ence of the tracking device, he may have not travelled to the drugs laboratory 
site to raise further suspicion and avoid arrest. It is possible to imagine that he 
would have shielded the GPS antenna of the tracking device to prevent its op- 
eration. It can also be speculated that he would have sought technical assis- 
tance in cheating the GPS device by either physically editing the data on the 
tracking device or by conducting a spoof attack which would have resulted in 
the GPS device logging motion of the vehicle on roads of his choice resulting 
in the reversal of these suspicions and eventually misleading the police about 
his plans. Even if sophisticated tracking devices, which transmit locational in- 
formation in near real-time using the GSM network, were used, a carefully 
planned spoof reporting locations within the same mobile cell would have cir- 
cumvented precision tracking yielding fewer details. The same analogy can be 
applied to the other scenarios discussed, for instance, an employee who wants 
to avoid the employer knowing about a romantic rendezvous during working 
hours whose proof is in a GPS tracking device in the company car would make 
all possible attempts to erase or replace it even if it requires utilizing the ex- 
posed vulnerabilities. Additionally, financial liability matters, such as evasion 
of a speeding fine, may motivate a person to edit GPS data contents to prove 
that no offence occurred. Individuals may also not appreciate the idea of mo- 
bility-pricing of roads (insurance or a congestion charge) where a fee is appli- 
cable based on the distance covered and may rebel against it by trying to outwit 
the system by exploiting these weaknesses. This implies that cases where cor- 
roborative GPS evidence has been presented should be reviewed in the light of 
the issues highlighted here to avoid erroneous verdicts. 

In order to harden GPS systems against these weaknesses, several coun- 
termeasures can be implemented both in terms of policy as well as technology 
development. With regards to policy, it is clear that GPS output which is not 
exclusively read-only, whether in the form of NMEA messages or any other 
standard or proprietary format, should not be admissible in court as evidence 
due to its high susceptibility to tamper. Tracking devices that store GPS logs 
in proprietary binary format on the same board as the GPS receiver, and pro- 
vide read-only access, can still be edited with the correct know-how and tools, 
therefore expert advice should be sought when assessing these types of devices 
in court proceedings. One possible solution to this problem may be introduc- 
ing cryptographic techniques to the storage process, where GPS logs are en- 
crypted and digitally signed (Goldwasser, Micali, & Rivest, 1988) so that it 
can be verified that the data has been produced exclusively as a result of the 
GPS receiver processing and no other GPS receiver could produce those same 
results. 


591 


However, building in encryption and non-repudiation into the GPS hard- 
ware cannot prevent spoofing attacks. Several countermeasures against spoof- 
ing have been proposed in the literature (Volpe, 2001; Lagier, Craig, & 
Benshoof 2004). These include GPS receivers constantly measuring the re- 
ceived signal strength (RSS) of the satellite signals, and if significant difference 
beyond a certain threshold is found between the expected and observed signal 
strengths, the user can be alerted to a possible spoof attack. This countermea- 
sure fails if a sophisticated attacker also monitors the RSS and transmits its 
signals within the threshold, but slightly higher than the observed RSS. This 
countermeasure also fails if the person who owns the GPS device is the one 
tampering with it. Other similar solutions include angle of arrival discrimina- 
tion, amplitude discrimination, time of arrival discrimination, and crypto- 
graphic authentication (Volpe, 2001, pg 39). Military-grade GPS receivers 
work on encrypted signals known as the Precision Code or P-code. These sig- 
nals work on top of the Coarse Acquisition (C/A) code available for civilian 
users and can be unscrambled only by US military GPS receivers providing 
greater accuracy and robustness. Considering the increased reliance of the civil- 
ian transport infrastructure on GPS, there are suggestions to introduce signal 
authentication for civilian use too (Hein et al., 2007) in order to mitigate spoof- 
ing attacks. However, it is unlikely that these hardware, software and infra- 
structure extensions would be available to civilian GPS receivers in the 
imminent future. For applications such as mobility-based charging, tamper- 
proof hardware can be installed that prevents the owner or user of a vehicle to 
hack the system. The GPS device can be augmented with other sensors, for in- 
stance accelerometers can be installed and the odometer output can be com- 
pared to the GPS velocity to verify if the vehicle is actually in motion. 


Conclusion 


This paper addresses an important issue that has not been thoroughly examined 
before, the vulnerabilities of GPS systems and their implications in judicial 
reasoning and commercial settings. While GPS data has been used as an ef- 
fective tool in generating suspects, deterring criminal activities, repressing be- 
haviour, and improving response times, the exposed vulnerabilities question 
all these scenarios, by highlighting that the seriousness of these issues can be 
a motive for adversaries to exploit these susceptibilities to their favour. An in- 
nocent man may be convicted of a crime he never committed or a person who 
is the culprit in reality may get away by presenting forged GPS evidence. It is 
hoped that the results of this research would attract the attention of policy- 
makers, and rigorous ethical and legal safeguards should be implemented to 
protect the rights of the public from future abuse. The viewpoint that GPS is 


592 


generally valid means that there is an implicit over-reliance on this technol- 
ogy, and the experiments conducted have proven that the over-dependence may 
prove disastrous. 


Acknowledgement 


The authors wish to acknowledge the assistance provided by the ‘Metadata Scholar- 
ship’ from OMNILINK Pty. Ltd. for this research. 


References 


1. 


15, 


ABC News, (2007a). GPS evidence clears British sailors of wrongdoing, Vice-Ad- 
miral says. Retrieved October 10, 2007, from http://www.abc.net.au/news/stories/ 
2007/03/ 28/1884174.htm 

ABC News, (2007b). Commonwealth appeals against green zone GPS ruling. Re- 
trieved October 9, 2007, from http://www.abc.net.au/news/stories/2007/04/ 
26/1906741 .htm 

Atmel (2005). 1 megabit 2.7 Volt only Data Flash AT45DB011B Data Sheet. Re- 
trieved October 25, 2007, from, http:/;www.atmel-grenoble.com/dyn/resources/prod_ 
documents/doc1984.pdf 

Dempster, A. (2005). How Vulnerable is GPS? Position, no 20, pp64-67. 

Dornin, R. (2004). Judge allows GPS evidence in Peterson case. CNN.com. Retrieved 
October 5, 2007, from http://www.cnn.com/2004/LAW/02/17/peterson.trial/ 
Federal Communications Commission, Enhanced 911 — E911 (2004). Retrieved Oc- 
tober 15, 2007, from http://www.fcc.gov/9 11/enhanced/. 

Federal Radionavigation Plan-FRnP (1999). Interagency GPS Executive Board, 
Washington, DC. 

Finz, S. & Taylor, M. (2004). Peterson tracking device called flawed, Defense wants 
GPS evidence shut out of trial. San Francisco Chronicle. Retrieved October 4, 2007, 
from , http://www.sfgate.com/cgi-bin/article.cgi? file=/chronicle/archive/2004/02/12/ 
BAG7P4V69B1.DTL 

Fox News (2004). GPS Expert Testifies in Peterson Trial. Retrieved September 4, 
2007, from, http://www.foxnews.com/story/0,2933,132197,00.html 

Goldwasser, S., Micali, S., & Rivest, R.(1988). A Digital Signature Scheme Secure 
Against Adaptive Chosen-Message Attacks. SIAM J. Computing 17(2): 281-308. 
Grush, B. (2005). Optimizing GNSS-Based Mobility Pricing for Road-Use, Parking, 
and PAYD Insurance. 4th European Traffic Congress. Salzburg, Austria. 

Hein, G., Kneissl. F., Avila-Rodriguez, J.A., Wallner, S. (2007). Authenticating 
GNSS: Proofs against Spoofs, Part 2. Inside GNSS, October 2007, pp 71-78. Re- 
trieved October 20, 2007, from http://www.insidegnss.com/auto/SepOct07-wkngpa- 
pers-proof-spoof.pdf 

Hytch, D. (2007). Service vendors target traffic-management deals. Computer Busi- 
ness Review Online. Retrieved July 25, 2007, from, http://www.computerbusiness- 
review.com/article_news.asp?guid=E01E9184-2F5 1-4B85-9577-D0A6C72AF895 
Iqbal, M.U., & Lim, S. (2006). A privacy preserving GPS-based Pay-as- You-Drive in- 
surance scheme. Symposium on GPS/GNSS (IGNSS2006). Surfers Paradise, Aus- 
tralia, 17-21 July, CD-ROM proceedings. 

Iqbal, M.U., & LIM, S. (2007). Privacy implications of automated GPS tracking and 
profiling. Second Workshop on Social Implications of National Security: From 


593 


20. 


21. 


22. 


23. 


24. 


25. 


26. 


28. 


29. 


30. 


31. 


32. 


Dataveillance to Uberveillance, Wollongong, Australia, 29 October 2007. 

Karni, A. (2007). GPS Concerns Taxi Drivers. The New York Sun. Retrieved Febru- 
ary 12, 2007, from, http://www.nysun.com/article/46133 

Kilman, J. & George, C. (Eds). (2000). The Constitution of the United States of Amer- 
ica: Analyis and Interpretation. 

Lagier, E., Craig, D., & Benshoof, P. (2004).JAMFEST - A Cost Effective Solution 
to GPS Vulnerability Testing. Journal of Global Positioning Systems Vol. 3, No. 1-2: 
40-44. 

Litman, T. (2003). Distance-based Vehicle Insurance. Victoria Transport Policy In- 
stitute. 

Litman, T. (2005). London Congestion Pricing — Implications for Other Cities. Dice 
Report: Journal of Institutional Comparisons 3(3): pp. 17-21, Retrieved November 12, 
2006, from, http://www.cesifogroup.de/portal/page?_pageid=36,34692& dad=por- 
tal&_schema=PORTAL. 

Mohan, S. (2006). Technology: GPS Keeps Parolees on a Short, Smart Leash. Ziff 
Davis Media Inc. Retrieved September 12, 2007, from http://findarticles.com/p/ar- 
ticles/mi_zdcis/is_200609/ 

NRMA (2007). NRMA calls for car surveillance via GPS. Ninemsn Science and tech- 
nology news, Retrieved July 10, 2007, from http://news.ninemsn.com.av/article. 
aspx?id=59964 

Newschannel.com (2007). Parolees Monitored by GPS Tracking. Retrieved October 
14, 2007, from http://www.newschannel9.com/onset?id=963605&template=arti- 
cle.btml 

Norwich Union (2007). Pay As You Drive Car Insurance, Retrieved June 5, 2007, 
from http://www.norwichunion.com/pay-as-you-drive/index.htm . 

Questguard (2007). ActSoft Alcohol and Drug Monitoring. Retrieved October 23, 
2007, from, http://questguard.com/ActSoft-Alcohol-and-Drug-Monitoring_.html 
United States v. Garcia (2007). 474 F.3d 994 (7th Cir. 2007) 

United States v. Knotts (1983). 103 S. Ct. 1081, 1087. 

Tripsense (2005). How TripSensor Works, retrieved January 11, from, 
https://tripsense.progressive.com/about.aspx?Page=HowDevice Works 

Vidales, P., & Stajano, F. (2002). The Sentient Car: Context-Aware Automotive 
Telematics. Paper presented at the LBS-2002. 

Volpe, J.A. (2001). Vulnerability Assessment of the Transportation Infrastructure Re- 
lying on the Global Positioning System. National Transportation Systems Center. Re- 
trieved August 12, 2007, from, http://www.navcen.uscg.gov/archive/2001/Oct/ 
FinalReport-v4.6.pdf 

Wainright, R. (2007). Father and son stick to gins to prove radar wrong. Sydney Morn- 
ing Herald, Retrieved July 5, 2007, from http://www.smh.com.au/news/national/fa- 
ther-and-son-stick-to-guns-to-prove-radar-wrong/2007/03/11/1173548023012.html 
Zhang, D., Wang, X.H., Hackbarth, K. (2003). OSGi Based Service Infrastructure for 
Context Aware Automotive Telematics, Paper presented at the IEEE Vehicular Tech- 
nology Conference, Italy. 


594 


Appendix 


ts 


imen 


d for the exper 


: GPS Receivers use 


1 


Figure 


CI self-storage 


O 
Q 
ac) 
S 
© 
2 
vV 
pos 
<0 
iN 


Tl Bivetooth 


Tracking Stick 


Tracking Stick 


NMEA Output 


Car-lighter Jack 


Powered 


Battery- 


R Leadtek” 





: Edited route 


Figure 2 


ON 
Ea \ Sag 
Ne 





©. 
noewta Ne 








595 


Figure 3: GPS receivers opened 







De 


Check matrices 





596 


t 5650 Signal Generator 


iren 


Sp 


Figure 5 





: Re-Radiator Antenna 


Figure 6 














Digital Evidence and Electronic Lawsuits: How far do 
we go? 


Carlos Alberto Rohrmann 


Faculdade de Direito Milton Campos — FDMC 
(Brazil 


Jason S. de Albergaria Neto 
Faculdade de Direito Milton Campos — FDMC 
Brazil 


Abstract. Brazilian courts have been addressing the admissibi- 
lity of electronic documents since the the mid nineties. On December 
19th, 2006, through a federal statute called Law Number 10.419 of 2006, 
the Brazilian Congress addressed the use of electronic documents for e- 
filing legal documents and petitions before courts. Under the terms of the 
new law, all communications with courts can be made electronically (in- 
cluding the issuing of electronic summons). All phases of a lawsuit can 
be digitally stored and most of the petitions and supporting documents 
can be electronically filed. Digital evidence is regulated by the new le- 
gislation in such a way that electronic documents are considered as ori- 
ginal documents with all strength of evidence that the corresponded 
paper based document has. Only some documents cannot be presented 
in the form of exclusively digital evidence, such as the case of negotia- 
ble instruments that must be also presented in paper. 


Key-words: Digital evidence, electronic lawsuits, electronic evidence, electronic sig- 
natures, digital signatures 


Biographical Notes: Carlos Alberto Rohrmann is the academic director of the LL.M. 
Program of Faculdade de Direito Milton Campos — FDMC (Brazil) and Professor of 
Law at Faculdade de Direito Milton Campos — FDMC (Brazil), where he teaches Cy- 
berlaw and Intellectual Property Law. He is the author of Curso de Direito Virtual — 
“Course of Cyberlaw”, a book about cyberlaw in Brazil (Ed. Del Rey, 2005) and he has 
written other legal articles about the subject. Prof. Rohrmann holds a Doctorate in the 
Science of Law J.S.D. (UC Berkeley, USA) carlosgrico@hotmail.com 

Jason S. de Albergaria Neto is Professor of Commercial Law. Doctor in Commercial 
Law (UFMG) Faculdade de Direito Milton Campos. Professor Jason teaches Com- 
mercial Law and Civil Procedure Law for graduate and for undergraduate law courses 
at Faculdade de Direito Milton Campos in Brazil. He is the author of many legal arti- 
cles about civil procedure and commercial law. Jason@mcampos.br 


599 





1. Introduction (Digital Evidence and Electronic Lawsuits) 


The Brazilian Congress enacted a new statute, Law n. 11.419 on December 
19", 2006 (hereinafter simply “Law n. 11.419”) that amended the Brazilian 
Civil Procedure Code and created the so-called “Electronic Lawsuit”. Elec- 
tronic lawsuits are now legal, in Brazil, for civil, criminal and labor cases. Be- 
sides allowing the Judiciary Power to implement a fully digital lawsuit, Law 
n. 11.419 does also regulate digital evidence. Law n. 11.419 makes it valid for 
public agencies and for private parties to produce digital evidence with very 
few requirements. 

This article analyzes the aspects of Law n. 11.419 that deal with digi- 
tal evidence. Chapter one will describe the regulation of an electronic lawsuit 
under the terms of Law n. 11.419. We will present the requirements that the 
statute introduced in the Brazilian Civil Procedure rules for the validity of a 
digital petition. Chapter two reviews the theory and the rules that regulate ev- 
idence in the Brazilian civil procedure; this chapter begins with a reference to 
the systems and to the types of evidence and then explains the phase of dis- 
covery and rules for evidence in Brazil. Chapter three addresses specifically the 
requirements for digital evidence under the terms of Law n. 11.419. 

We conclude that Law n. 11.419 conferred a new status for digital ev- 
idence, especially for digitally signed documents, but the risk of fraud due to 
the use of digital evidence in electronic law suits , may increase in the near fu- 
ture. 


2. Electronic lawsuits under the regulation of Law n. 11.419 
(Digital Evidence and Electronic Lawsuits) 


The use of cyberspace for filing legal documents before the courts started in 
Brazil during the nineties. Many attorneys sent legal petitions and other sup- 
porting documents to courts by fax machines. Back in 1999, a federal statute 
(Law n. 9.800 of 1999) allowed attorneys to send their petitions by fax until the 
last day assigned by the judge or by the law. But, there was a requirement: the 
original paper document had to be filed not later than five days after the fax was 
sent. The reason for such a requirement is that the judge has to examine both 
documents: the fax and the original paper document filed no later than five 
days afterwards. If a single difference is found, all the documents must be re- 
jected due to its tardiness. Due to this requirement, a petition could not be filed 
by e-mail because the sender cannot sign by hand the e-mail (we do not con- 
sider here the analysis of an e-mail with a “pdf” file attached to it). 

On December, 2006, electronic lawsuits were legally regulated in Brazil. 
Law n. 11.419 created the Electronic Civil, Criminal or Labor Lawsuit. It is a 


600 


small piece of legislation with 20 sections distributed along four chapters. 

Chapter one of Law n. 11.419 is called “Lawsuits and Informatics” and 
begins with a plain statement that allows the parties to use all kind of elec- 
tronic (preferably the world net of computers) means for filing legal documents 
and all kind of legal petitions before courts. Chapter one also defines electronic 
signatures as both: one, digital signatures with a digital certificate issued within 
the terms of the specific legislation applicable to the PKI of Brazil or, two, 
through a previous registration before the Judiciary as regulated by the judici- 
ary organs. All electronic documents sent to courts must bear an electronic sig- 
nature. Besides, all registrations before the Judiciary must be made, by the 
attorney, in person before a court. 

Chapter two of Law n. 11.419 is called “Electronic communications of 
acts of lawsuits” and it regulates the creation of electronic legal gazettes in 
Brazil. At this point in time, judges can communicate their acts through a paper 
publication that is called “Official Daily Gazette”. Under the terms of Chapter 
two of Law n. 11.419, no paper publications will be required and courts are al- 
lowed to use preferably electronic means to communicate with attorneys, with 
other judges and with other courts (both domestic and foreign courts) and even 
with the parties of a lawsuit. At this point in time, all publications that are pub- 
lished in a paper legal gazette, when electronically published, must bear a dig- 
ital signature. Finally, chapter two allows legal summons to be electronically 
issued by courts, except those summons in criminal cases that must follow the 
specific rules of criminal procedure (which are not within the scope of this 
text). 

We define electronic law suits as law suits where judges, clerks, plain- 
tiffs, defendants, lawyers and everyone else involved with the law suit use 
mostly electronic (or digital) means. Electronic law suits have most of their 
documents e-filed and they are all digitally stored in a folder of a computer 
with the access to the attorneys made through computer networks. Therefore, 
electronic law suits require all paper based documents and petitions that are 
filed before courts to be digitalized (except documents that, due to their na- 
ture, for example, too old, or too big, cannot be easily digitalized). 

Oral acts that are performed before the judge, such as oral testimonies, 
can be digitally recorded and attached to the electronic files of the folder of the 
corresponding electronic law suit, under the terms of the new statute. 


3. A Review of the theory of evidence in civil procedure (Dig- 
ital Evidence and Electronic Lawsuits) 


The Brazilian Code of Civil Procedure of 1973 (hereinafter the 1973 CPC) did 


601 


not address the electronic filing of any kind. The way that the Code regulates 
evidence is briefly addressed in this chapter. Thus, this chapter will deal with 
some of the theory of evidence in Brazilian Law. 


3.1. Evidence Systems 


The purpose of this chapter is to analyze the evidence systems in the Brazilian 
juridical order (Brazilian jurisdiction), considering that the evidence system 
used in a lawsuit in a given country shows this civilization development level. 

History shows that the ordeals, duels, oaths and God’s judgments have 
been used as evidence systems, putting away the juridical safety and bringing 
concern to the juridical community. 

Legal disputes before courts are subjected to the parties’ needs of car- 
rying to a lawsuit the evidence, which are relevant for the judge’s decision con- 
cerning the alleged facts. Thus the use of technique, of logic and the evidence 
regulation norms all have influence on the State juridical activity. 

In Brazil, in reaching court decisions, judges rebuild the facts narrated 
by the parties within a lawsuit, and apply juridical norms suitable to the mat- 
ter. Therefore, from the evidence system is originated a right to the party so as 
to produce the evidence and the addressee is the judge. 

The rationalization of establishing the truth in a lawsuit is foreseen in the 
ordinary and infra-constitutional legislation. The Brazilian legislator has in- 
serted in the Civil Code the rules that determine the existing types of evidence 
and in the Code of Civil Procedure those that indicate the moment and the way 
of producing the evidence during a lawsuit. 

However, the study about the right to produce evidence as a subjective 
public right has its origin in the constitutional norms. It is noted that there is 
no express constitutional provision that places evidence among the funda- 
mental rights. 

Nevertheless, the right to evidence is “the unfolding of the constitutional 
guarantees of the due legal process or a fundamental aspect of the process guar- 
antee of action, of defense and of the contradiction” (CAMBI, Eduardo. Dire- 
ito Constituicional a prova no processo civil, 2001, p. 165-166). 

Thus, inserted in the constitutional foundations designed for the process, 
such as the guarantee of access to the jurisdiction (Federal Constitution of 
Brazil, article 5, section XXXV), of contradiction, to the due legal process, the 
parties through the evidences may interfere in the result of a lawsuit, actively 
participating, producing evidence designed to the construction of the juridical 
provision to which they will be subjected. 

Starting from these constitutional premises, the right to evidence is 
owned by the ones under jurisdiction, with guarantee to the advantageous sub- 


602 


jective position of demonstrating before the judge the facts that are part of their 
allegations. Parties must prove the facts that will contribute to the formation of 
the judge’s judgment conviction. 

The right to prove is originated from the guarantee of free access to the 
jurisdiction. As a lawsuit starts, the parties have the power to demonstrate an 
existing or non-existing fact from which a claim was formulated. The parties 
shall produce the evidences following the contradictory principle, when the 
jurisdictional provision shall be democratically built, guaranteeing the parity 
of opportunity and participation for both parties. This all within the due process 
of law, in which the moment and the opportunity shall be previously foreseen 
and guaranteed to the parties. 

On the other hand, the magistrate is the evidence addressee and its pur- 
pose is “the formation of the conviction concerning the facts” (THEODORO 
JR, Humberto. Curso de Direito Processual Civil, Rio de Janeiro: Forense, 
1996, p. 414, v.1). The evidence purpose is to carry to a lawsuit the informa- 
tion about the facts occurrence so as the judge may value them following 
his/her own free conviction. When judging, he/she must inform the evidence 
from which he/she has been convinced and on which the decision was founded, 
thus protecting the parties from judicial discretion. 

Thus in the Brazilian process system the Latin principle is in force: - 
iudex secundum allegata er probata a partibus iudicare debet (“The judge 
must decide solely on the basis of the facts alleged and actually proved by the 
parties”) and also, que quod non est in actis, non est in hoc mund (“What is not 
in the lawsuit is not in the world”). 

In the Brazilian evidence system, the judge’s role is to say the types of 
evidence that shall be valid, accordingly to the parties’ claims. The party shall 
demonstrate the need for the evidence realization, and it is the judge’s decision 
the evidence of fulfillment. This analysis will link the alleged facts to the na- 
ture of the requested evidence, guided by juridical safety, procedural economy 
and celerity in each lawsuit. 

The purpose of evidence phase of a lawsuit is the factual reconstruction 
so as to make a juridical picture as close as possible to the actual occurrence. 
That reconstruction is made in a lawsuit independently from the actual truth 
(actual truth — the absolute truth, where the reality carried to a lawsuit by means 
of evidence pictures what actually happened in the real world) and the formal 
truth (formal truth are the evidences carried by the parties and existing in a 
lawsuit and which are approximately the reality alleged by the parties) princi- 
ples because evidence shall be produced in order to obtain the true facts al- 
leged by the parties in a lawsuit for judge’s free conviction to decide. 

The evidence in Brazilian law also suffers some restrictions. One of the 


603 





restrictions is concerned with who can produce the evidence, as only the par- 
ties, the interested third party and the Public Prosecutor are legitimate to pro- 
duce evidence. 

Equally, the admissibility of some evidences is limited by the moment 
when they are produced and their valuation by the Magistrate, as we will see. 


3.2. Types of evidence 


The types of evidence are tools made available by law so as the parties are able 
to demonstrate the facts relating to the lawsuit. 

Thus the Brazilian legislator in the Civil Code of 2002 specified that ju- 
ridical facts shall be proved by means of confession, documents, witnesses, 
presumptions and expert technical witnesses. 

Actually, this Civil Code rule, as a material law norm, only enumerates 
as an exemplification that the party may prove the allegations by means of doc- 
uments, witnesses and by carrying expert technical witnesses, as well as by 
confessions. The presumption, even though cited as type of evidence in the 
legal disposition, actually is the judge’s intellectual activity to examine the ev- 
idences. 

In courts evidences shall be produced by the magistrate complying with 
the Civil Code exemplified orientation, and shall be carried out as established 
in the Code of Civil Procedure. The civil procedure rule determines that the ev- 
idence collection shall be done by the judge using the parties’ personal testi- 
mony, by the confession, by documents or object exhibition, witnesses, 
technical expert witnesses and by judicial inspection (when the judge actually 
goes to see a fact outside the court). 

These evidences named typical or nominate have their nomenclature, 
their purpose and production moment established by the Procedure Law, and 
they don’t exclude the evidences deemed atypical or innominate. 

It is important to emphasize that the Code of Civil Procedure admits all 
kinds of morally legitimate evidences (Código de Processo Civil, Artigo 332: 
“Todos os meios legais, bem como os moralmente legitimos, ainda que não 
especificados neste Código, são hábeis para provar a verdade dos fatos, em 
que se funda a acão ou a defesa. ” — Code of Civil Procedure, Article 332: “All 
the legal means of evidence, as well as the morally legitimate, even though not 
specified in this Code, are competent to prove the true facts, on which the claim 
or the defense are based.”). Thus, together with the typical evidence such as the 
confession, document, witness, expert witness, other kinds of evidence are also 
allowed, and there is no value difference between them. Morally legitimate ev- 
idences are those that are not against the moral values of the average man. 

However, whether typical or atypical evidence, equally it is forbidden 


604 


that they are obtained by immoral or illegitimate ways, or illegal or illicit ways. 
It is a constitutional rule that the evidence obtained through illicit means is not 
admissible in a lawsuit (Federal Constitution, article 5, section LVT). 

It is admissible to use in a lawsuit any evidence that is not offensive for 
an ordinary man or for the ordinary social moral standards (as ruled by the 
TJRS, TRRGS 157/233). 

However, the means for obtaining the evidence must be investigated as 
it shall not be accepted if originated from an illicit action, as decided by the 
Supreme Court (Caso Fernando Collor — “Inadmissibilidade, como prova, de 
laudos de gravação de conversa telefônica e de registros contidos na memória 
de microcomputador, obtidos por meios ilícitos (art. 5° , LVI, da CF); no 
primeiro caso, por se tratar de gravação realizada por um dos interlocutores, 
sem o conhecimento do outro, havendo a gravação sido feita com inob- 
servancia do principio do contraditório, e utilizada com violação à privacidade 
alheia (artigo 5°, X, da CF); e, no segundo caso, por estar-se diante de mi- 
crocomputador que, além de ter sido apreendido com violação de domicílio, 
teve a memória nele contida sido gravada ao arrepio da garantia da inviola- 
bilidade da intimidade das pessoas (artigo 5°, X, XI, da CF) STF — Pleno; RTJ 
162/3 e RF 335/183, maioria” — “Inadmissibility, as evidence, of reports of 
telephone conversation recordings and registers contained in the computer 
memory, obtained by illicit means (article 5° , section LVI, of the Federal Con- 
stitution); in the first case, as it deals with recordings carried out by one of the 
interlocutors, without awareness, the recording having been done with no- 
compliance with the principle of the contradictory, and used through privacy 
violation (article Sst, X, da CF); and, in the second case, because it is in face 
of a microcomputer which besides being seized with domicile violation, had its 
computer memory recorded against the parties intimacy inviolability guaran- 
tee (article 5, sections X, XI, of the Federal Constitution) Supreme Court en 
banc; RTJ 162/3 and RF 335/183, by majority of votes)”. 

Thus, the evidence collected by criminal or clandestine acts must not be 
accepted. Such Brazilian constitutional guarantee is similar to the principle of 
“the fruit of poisonous tree” where all the evidence originated from illicit ev- 
idence is invalidated. 


3.3. Evidence production 


The Brazilian procedure system sets the rules that guide the evidences pro- 
duction. The evidence production procedure is carried out with the formal pe- 
tition, the admission, the realization and the evidence valuation. 

The petition implies the parties’ request (article 282, section IV of the 
Brazilian Civil Procedure Code to the plaintiff and the article 300 of the same 


605 


Code to the defendant) before the judge about the types of evidence they will 
carry out in order to have influence on the judge persuasion. The documental 
evidence must be carried with the initial petition (article 283 of the Code of 
Civil Procedure) and with the defendant’s defense (article 396 of the Code of 
Civil Procedure). 

During a lawsuit, the judge will also rule that the parties specify the ev- 
idences they intend to produce (article 396 of the Code of Civil Procedure). The 
evidence petition must be specific, detailing the type of evidence applicable to 
each fact that has to be proved. 

After the evidence requests, it is up to the judge to examine these evi- 
dences fulfillment suitability and convenience, starting the so-called “evidence 
admission phase” of a lawsuit. 

In this phase, the magistrate seeks the requested evidence admissibility 
so as to effectively contribute to clarifying the facts alleged by the plaintiff or 
by the defendant. The decision must be well founded, explaining the need for 
certain evidence, or the reasons for its inadmissibility. Once the evidence is 
admitted, it shall be produced in the lawsuit. In this phase it might also be used 
the so-called “borrowed evidence”, that is, evidence carried from another law- 
suit, which avoids the repetition of useless acts. This borrowed evidence de- 
pends on the respect to the contradictory principle so as to be legitimate. 

The third phase is the realization of the evidences, that usually occurs in 
a hearing (article 336 of the Civil Procedure Code), existing exceptions ac- 
cording to the law provision, such as the documental evidence , which is pre- 
viously carried out, the need for technical expertise witness, the act of hearing 
a sick witness or certain public authorities. 

It is important to emphasize that at the moment of producing the evi- 
dences, they must be collected accordingly to the contradictory principle es- 
tablished in the lawsuit, with guarantee to the party of the necessary and 
mandatory information about the date and type of evidence that will be pro- 
duced so as the party has the opportunity to be present at the time of the evi- 
dence realization and to eventually cross examine. 

Thus produced before the judge, the evidence shall be valued at the time 
of pronouncing the sentence. The Brazilian system adopts the rule by which the 
evidences have no pre-determined value, that is, there is no hierarchy among 
various types of evidence. It is up to the judge the free conviction according to 
any existing evidences in the legal proceedings. Judges must give reasons by 
which they understand that a given evidence proves the fact while another does 
not (article 131 of the Civil Procedure Code 

The system in force in Brazil is the principle of the “rational convic- 
tion” or “rational persuasion”, which confers the judge the complete freedom 


606 


to be persuaded by the evidences presented in the case brief, so as to form 
his/her conviction, which should be duly founded. 

Within the valuation rules, the judge may use the indicators or infer- 
ences. Thus, if the available evidence elements for the judgment do not point 
directly to a fact alleged by the party, the judge should examine the circum- 
stantial elements and indirect evidences. Thus, it is admissible a secondary fact 
evidence to prove the main fact. 

The Brazilian system accepts the indicatory proof, which is actually a 
part of a judge’s intellectual deduction work that the occurrence of a fact al- 
leged by the party is originated from the evidence of a secondary fact that has 
been demonstrated. From a proven secondary fact, the consequent existence of 
a primary fact alleged by the party can be reached. Such a conclusion is pos- 
sible in face of a rational criterion of logical probability of the coexistence of 
both facts. 


3.4. Special rules 


In a number of situations, the Brazilian legislator has created rules designed to 
the parties and the judge, in order to avoid the admission of issues of less im- 
portance to the lawsuit or that would lead to the privilege of one of the parties. 

Thus, some allegations by the parties often do not need to be proved, 
particularly when concerning to well known facts, to the facts stated by one of 
the parties and confessed by the contrary party, to those facts admitted in the 
process as unquestioned and to facts to which there is the presumption of ex- 
istence or truthfulness (article 334 of the Civil Procedure Code). 

Well-known facts are those that are known and predominant in a given 
region and in a given time period. It deals with facts that the judge considers 
as existing, mainly because they are well known by everyone. 

The fact confessed by one party is evidence against the confident; this 
circumstance is determinant in the evidence dismissal. In the confession a party 
admits as true a fact that is unfavorable to her/his situation in the case and fa- 
vorable to the contrary party’s claim. 

Equally, it also considered a confession when the defendant fails to man- 
ifest precisely about the facts narrated in the initial petition of the plaintiff (ar- 
ticle 302 of the Civil Procedure Code), and it shall be assumed that such facts 
are true and considered unquestioned, and the conclusion is that they have been 
accepted as true facts. 

Ultimately, the law grants the presumption of being truth to some situ- 
ations (for example articles 163 and 164 of the Civil Code, which deal with 
fraud against creditors or the state administrative act that has the legal pre- 
sumption of existence and legality). This presumption may be iuris tantum, as 


607 


they are also named relative presumption and admit proof to the contrary. The 
presumption may be iuris et de iure, named absolute presumption and does not 
admit proof on the contrary. 

On the other side, there are some special rules about evidences that grant 
the evidentiary privileges to the parties; where in the search for evidences the 
duty to collaborate with the State is dismissed. 

Within the rules concerning the evidences, where no one is exempt from 
the duty to collaborate with the Juridical Power so as to discover the truth (ar- 
ticle 339 of Civil Procedure Code), there are situations that constitute a privi- 
lege, grant against self-incrimination to the party and the privilege to the 
knowledge about certain matters due to office, function or profession (MARI- 
NONI, Luiz Guilherme e ARENHART, Sergio Cruz. Manual do Processo de 
Conhecimento, Sao Paulo, Revista dos Tribunais, 2001, p. 330). 

Such privileges are originated from the North American Law, mainly 
from the 5th Amendment to the United States Constitution, where there is the 
provision of the privilege against self-incrimination. The mentioned privilege 
is applicable to criminal and civil issues as well, avoiding an absurd situation, 
when a person trying to preserve his/her freedom and to confess a certain crime, 
would lye about the mentioned facts to defend his/her freedom and would be 
found guilty of giving false testimony or perjury. 

Therefore, in the Brazilian legal order (Article 347 and 363 of the Code 
of Civil Procedure), the party is dismissed from testifying about criminal facts 
ascribed to him/her, as the criminal self-imputation cannot be required. 

Another privilege is related to the secrecy, resulting from the ethical- 
professional relations, which impose the duty of secrecy on professionals. Thus 
the facts known for professional reasons of the relationship lawyer-client, an 
attorney-client privileged (article 7 of the Federal Law number 8.906 of 1994, 
Estatuto da Ordem dos Advogados do Brasil, Statute of the Brazilian Bar As- 
sociation), physician-patient (Article 36 of the Código de Ética Médica, Me- 
dial Etichs Code) or still, from religious bonds and originated from public 
function or specific occupation (articles 154 and 325 of the Penal Code). 

This secrecy must be kept so as to assure the professional activity, oth- 
erwise the confidence between the client and the professional would be threat- 
ened. 

So, electronic or digital evidence is not per se inadmissible in a lawsuit. 
The main problem is that it is subjected to the judge’s free conviction and it is 
very likely to be taken as not a written document for the lack of a handwritten 
signature. Besides, the fact that it is relatively easy to forge a digital document 
has led to a certain degree of less credibility to the electronic document. Maybe 
those were the reasons why a Federal Statute was edited to push for the use of 
digital signatures. 


608 


4. Law n. 11.419 and the Discovery of Digital Evidence (Digi- 
tal Evidence and Electronic Lawsuits) 


As we have seen, under Brazilian law digital evidence is not per se inadmissi- 
ble. The weight of digital evidence can be discussed and challenged. Under 
the terms of Brazilian Civil Procedure Code, oral testimony of a witness is al- 
ways admissible as a valid form of evidence nevertheless; article 401 of the 
Code rules that: “Oral testimony of a witness, as the only form of evidence, is 
admissible only for contracts with a value up to ten minimum wages [...]”. So, 
one cannot prove a case before courts if the value of the contract is more than 
ten minimum wages and there is no other form of written evidences. Article 402 
of Brazilian Civil Procedure Code allows the use of oral evidence in all cases, 
if there is some form of evidence in writing coming from the other party. There- 
fore, if there is some sort of evidence in writing that comes from the other 
party, a party is allowed to use that writing as a starting evidence to support the 
use of further oral testimony of a witness for contracts that worth more than ten 
minimum wages. 

At this point in time, we can conclude that oral testimony of a witness 
is admissible as the only form of evidence only in contracts that worth less 
than two thousand U.S. dollars. The next question is: “Is digital evidence writ- 
ing under the terms of article 402 of the Civil Procedure Code?” Before an- 
swering this question we have to focus on how the existence of obligations of 
any value can be proved. 

Article 221 of the Brazilian Civil Code rules that: “Private written in- 
struments, made and signed, or only signed by someone who is legally entitled 
to dispose of his goods, proves the conventional obligations of any amount”. 
Therefore, in order to prove obligations that are worth more than ten minimum 
wages, the best evidence is a written and signed document. 

Of course, a digital document is very likely not to be understood as a 
signed document for obvious reasons: there is no handwritten signature on the 
document. The use of digitalized signature is not safe (because one could eas- 
ily, bit by bit, reproduce the image of a signature) besides, the Brazilian 
Supreme Court has addressed the issue and denied validity (RMS (AgR) 
24.257-DF, rel. Ministra Ellen Gracie, 08.13.2002 and AI 564765-RJ, rel. Min. 
Sepúlveda Pertence, 02.14.2006). 

Electronic evidence such as digital photos can be used as evidence, but 
due to the high risk of forgery, they have to be valued carefully. If the other 
party challenges the validity of a digital photo, the burden to prove that the 
digital file containing the photo was not altered relies on the party that wants 
to use the photo as evidence. 


609 


The fact that digital documents are not signed, plus the risk of forgery 
led to a difficult acceptance of digital evidence as a strong type of evidence. A 
legal solution against forgery could be the adoption of digital signatures. 


4.1. Digital signatures and the legislation 


Brazil has adopted a hierarchic system for the legal regulation of digital sig- 
natures. Under the Provisionary Measure number 2.200-2 of 2001 (hereinafter 
simply M.P. n. 2.200-2/2001) only Certification Authorities that have been cre- 
dentialed and digitally certified by the Root Certification Authority (a Federal 
Agency) belong to the Public-Key Infrastructure of Brazil (hereinafter simply 
“PKI-Brazil”). Under the terms of section one of article 10 of M.P. n. 2.200- 
2/2001, digital certificates that are issued by Certification Authorities within the 
PKI-Brazil confer to the digitally signed document the same effects as those of 
a paper document with a civil signature. Nevertheless, section two of article 10 
of M.P. n. 2.200-2/2001 allows for the parties to, in advance, choose a form of 
electronic signature other than digital signatures within the PKI-Brazil, but, if 
they do so, those electronic documents will be considered valid only before 
those two parties (not against a third party). 

The Brazilian M.P. 2.200-2 of 2001 created the Brazilian Public-Key In- 
frastructure — PKI Brazil. Under the terms of the M.P. 2.200-2, the PKI Brazil 
has a Root Certification Authority (RCA). The RCA, among other tasks, is re- 
sponsible for issuing digital certificates to certify the other certification au- 
thorities, the CAs. The cryptographic keys used by the Brazilian RCA can be 
as big as a 2048-bit key. The RCA is the National Institute of Information 
Technology, the ITI, a federal agency that is subordinated to the Ministry of 
Science and Technology. The ITI is responsible for auditing the work of the 
CAas, and the MP 2.200-2 authorizes the ITI to apply fines to the CAs. The PKI 
Brazil is structured under a hierarchical model that has the Brazilian Federal 
Government at the top of the certification process. Those CAs that are certified 
by the RCA are legally considered to be CAs in the PKI Brazil. 

CAs are the ones that issue digital certificates to the final user, MP 2.200- 
2 also created the register authorities — RAs that are responsible for identify- 
ing the final user. The RAs are operationally associated with the CAs, under the 
terms of article 6 of the MP 2.200-2, with our translation into English after: 


“Art. 60 As AC, entidades credenciadas a emitir certificados digitais 
vinculando pares de chaves criptograficas ao respectivo titular, com- 
pete emitir, expedir, distribuir, revogar e gerenciar os certificados, bem 
como colocar a disposição dos usuários listas de certificados revogados 
e outras informações pertinentes e manter registro de suas operações. 

Parágrafo único. O par de chaves criptográficas será gerado sempre 


610 


pelo proprio titular e sua chave privada de assinatura será de seu ex- 
clusivo controle, uso e conhecimento. 


Article 6. The CAs (the entities which are entitled to issue digital cer- 
tificates which bind pairs of cryptographic keys to a respective holder) are to 
issue, dispatch, distribute, revoke and control the certificates, as well as to put 
at the disposition of the users lists of revoked certificates and other regarding 
information pertaining the matter. They should also keep records of their ac- 
tions. 

Paragraph — The owner will always generate the pair of cryptographic 
keys and its signing private key will be under his exclusive control, use and 
knowledge.” 

When the final user wishes to generate a pair of cryptographic keys, they 
must identify themselves with a valid form of identity (the identity card and the 
card that has the number of the person before the Brazilian Internal Revenue 
Service), in person, before a RA. Once the RA is satisfied of their identity, the 
final user will be able to generate the pair of cryptographic keys. The final user 
will always keep the private key. It is for this reason that there is no private key 
escrow requirement in Brazil. 

MP 2.200-2 allows that both forms of public electronic document (such 
as those issued by the government) and private electronic document can be ac- 
cepted with an electronic signature. Public electronic documents, under the 
terms of article 11 of the MP 2.200-2, which reads as follows, with our trans- 
lation into English: 


“Art. 11. A utilização de documento eletrônico para fins tributários aten- 
derá, ainda, ao disposto no art. 100 da Lei n 5.172, de 25 de outubro de 
1966 - Código Tributário Nacional. 


Article 11 — The use of electronic document for tax purposes must com- 
ply with the terms of article 100 of Law n° 5.172, of 25 of October of 1966 — 
National Tax Code.” 

Electronic documents can also be used for tax purposes, providing that 
the electronic document comply with the terms of the rules in the Codigo Trib- 
utário Nacional — the National Tax Code. It is interesting to note that the 
Brazilian judiciary, even before the passing of MP 2.200-2, had ruled valid a 
tax document issued by the tax authorities in electronic format. There is no spe- 
cific topic in MP 2.200-2 regarding the filing of legal electronic documents 
before courts in Brazil, thus electronic filing of documents before courts are 
therefore not prohibited. 

Article 10 of M.P. 2.200-2 regulates the effects of electronic signatures, 
with our translation into English after: 


611 


“Art. 10. Consideram-se documentos públicos ou particu- 
lares, para todos os fins legais, os documentos eletrénicos de que 
trata esta Medida Provisória. 

§ 1o As declarações constantes dos documentos em forma 
eletrônica produzidos com a utilização de processo de certifica- 
ção disponibilizado pela ICP-Brasil presumem-se verdadeiros em 
relação aos signatários, na forma do art. 131 da Lei n 3.071, de 1 
de janeiro de 1916 - Código Civil. 

§ 20 O disposto nesta Medida Provisória não obsta a utili- 
zação de outro meio de comprovação da autoria e integridade de 
documentos em forma eletrônica, inclusive os que utilizem certifi- 
cados não emitidos pela ICP-Brasil, desde que admitido pelas par- 
tes como válido ou aceito pela pessoa a quem for oposto o 
documento. 

Article 10 -The electronic documents referred to by this Provi- 
sionary Measure are considered as public documents as well as private 
documents, for all legal purposes. 

§ I Declarations made upon electronic documents produced 
within the ICP — Brazil s certification process are to be considered trust- 
worthy as to the authenticity of the signer, in accordance with Article 
131 of Law n° 3071, of January Ist, 1916 (Brazilian Civil Code). 

§ 2 This Provisionary Measure does not prevent other means of 
proving the authorship and integrity of electronic documents. This Pro- 
visionary Measure also does not prevent the use of certificates that are 
not issued by the ICP — Brazil, where their use is regarded as valid by 
both parties or accepted by the person to whom the document is sup- 
posed to be presented.” 


Section 1 of article 10 establishes that the declarations in electronic docu- 
ments made under the certification model of the PKI Brazil are presumed valid in 
relation to the signer under the terms of the Brazilian Civil Code, article 219, that 
establishes that “The declarations in documents signed are presumed to be valid 
in relation of the signers”: “Art. 219. As declarações constantes de documentos as- 
sinados presumem-se verdadeiras em relação aos signatários.” 

In other words, in Brazil, a digital signature with a digital certificate issued 
by a CA that belongs to the PKI Brazil (that has the Brazilian ITI as its root cer- 
tification authority) has the same legal effects as a civil signature. 

Section 2 of article 10 allows for the parties to use other forms of electronic 
signatures and data integrity that are not within the PKI Brazil, such as using a CA 
that is not certified by the Brazilian Root Certifications Authority. However, under 
the terms of section 2, the parties involved in the electronic transaction must agree 
that the chosen procedure is valid. Moreover, a third party that was not involved 
with the electronic document produced outside the PKI Brazil can repudiate the 
electronic document if they do not agree with the type of the electronic signature 
used. 


612 


4.2. Challenges for digital evidence 


Law n. 11.419 went further than M.P. n. 2.200-2 of 2001. Article 11 of Law n. 
11.419 establishes that electronic documents with a guarantee of the origin and 
of the signer are deemed as original for all legal effects. Besides, section one 
of article 11 rules that digital extracts and digitalized documents offered as ev- 
idence by the organs of the Judiciary, by the Prosecutor’s office, by State At- 
torneys, by Police Departments, by public agencies or by attorneys at law have 
the same legal effects of evidence as the originals. 

Section one of article 11 allows the other party of a lawsuit to argue the 
forgery of a digital document within a lawsuit. If that allegation is placed by 
the other party, some paths may be taken. 

A first situation is the case where the digital evidence challenged is a 
digitalized file of a previous existing paper based document. In this case, sec- 
tion three of article 11 requires that the party that digitalized the paper docu- 
ment to keep the originals until the end of the lawsuit (plus another two years 
in some specific cases when another lawsuit may be used to rescind the res iu- 
dicata). This first situation is, of course, the easiest one for judges to decide: 
they just need to compare the digitalized document with the original. If they 
match, judges rule in favour of the admissibility of the evidence. On the con- 
trary, if they don’t match, the digital evidence is not considered for the lawsuit. 

A second situation occurs when there is no paper based document that 
supports the digital evidence. Here an expert witness will play an important 
role in the decision of the acceptance of the digital evidence. Besides an expert 
witness, some rules shall also apply, accordingly to the electronic document 
that was challenged. 

If the electronic document has no signatures at all (such as an e-mail), 
the party that uses it as evidence will have the burden to prove the authentic- 
ity and the origin of the document. These are two difficult issues to be proved 
in courts even with the help of an expert witness. 

If the electronic document has an electronic signature (but not a digital 
signature within PKI-Brazil) then the party that uses the document as evidence 
will have the burden to prove the authenticity of the document. Regarding the 
origin of the document, we apply section two of article 10 of M.P. 2.200/2001: 
if both parties in the lawsuit had agreed, before the lawsuit, that they would use 
such a form of electronic signatures, then the origin of the document is upheld. 
Nevertheless, there is room for challenging the authenticity of the electronic 
document. 

Finally, electronic documents digitally signed within PKJ-Brazil are con- 
sidered to have their origin and authenticity preserved. Therefore, if the other 


613 


party challenges the digitally signed document, section one of article 10 of 
M.P. 2.200/2001 applies and the challenging party will have the burden to 
prove that the document was forged. So, both the origin and the authenticity of 
the digitally signed document within PKI-Brazil are presumed in favor of the 
party that uses such a document as digital evidence. We just note that if the 
digital certificate was not issued by a Certification Authority within PKI- 
Brazil, then only the authenticity is presumed, whereas the origin is ruled under 
section two of article 10 of M.P. 2.200/2001 (parties have to have agreed to 
use a Certification Authority that does not belong to PKI-Brazil before the law- 
suit). In both cases, challenges of digitally signed documents placed by the 
other party will be decided upon the help of an expert witness. 


5. Conclusion (Digital Evidence and Electronic Lawsuits) 


At this point in time, even though not all courts have the technology to enable 
a hundred per cent electronic lawsuits, no doubt that the electronic lawsuits 
have entered into law. The issue of the lack of a handwritten si gnature in dig- 
ital documents filed before courts has been finally addressed and therefore 
electronic signed petitions will have to be accepted by courts. Digital docu- 
ments supporting electronic petitions are also clearly legal under the terms of 
Law n. 11.419. Digital evidence is also accepted but the weight of each type 
of digital evidence will vary. Digitally signed documents within PKI Brazil are 
granted almost the same status as civil signed paper documents. Electronically 
signed documents are accepted only if the parties have previously chosen to use 
that kind of electronic signature (and the validity of the electronic signature is 
only applicable for both parties). Since non-digitally signed electronic evidence 
is more easily forged, challenges to these documents require technical expert- 
ise and an expert witness may be appointed by the court. In this case, the party 
that uses the evidence has the burden to prove that the digital document was not 
altered. The full enforcement of the law also depends upon the amount of tech- 
nology that will be made available not only for Courts, but also for attorneys 
and even for some parties of the lawsuits. 

One point that has to be addressed in the near future is how far should 
we go regarding digital evidence? Digital documents can be easily duplicated 
and altered leaving a large room for fraud. Relying on digital evidence can be, 
of course, more risky to the parties than the old paper based system of evi- 
dence. If, on the one hand, digital signatures and more technology could be 
the answer, on the other hand, more sophisticated technology does not mean 
that it cannot be forged. 


Acknowledgement. The author is thankful to FAPEMIG because he received a 
sponsorship from FAPEMIG, Minas Gerais, Brazil.. 


614 


Computer Forensics: from the Technological, 
Procedural/Organizational and Legal Perspectives 


Mr Kwok Hung Mak 
Doctor of Business Administration (DBA) candidate 
Curtin University of Technology, Australia 


Barry Chin Chi Yung 


Chin & Associates, Solicitors 


Abstract: Computer forensics forms a vital part in the procu- 
rement for better data security. It helps law enforcement officers as well 
as computer forensic specialists to unveil illegal dealings of miscre- 
ants who usually cover up their cyber crime in the foggy environment 
of the digital world. Computer forensics makes it easier for law enfor- 
cement officers to ferret out cyber miscreants and convict them in court. 
This paper introduces the concept and definition of computer forensics 
and the contemporary technology, methodology and relevant legisla- 
tions in computer forensics science. It also depicts the roles of three gro- 
ups of professional in computer forensics and analyses their 
interrelationship, identifies the gap among them and try to propose me- 
asures to bridge the gap. The ultimate aim is to work out a model for 
more comprehensive protection of data in computer networks. 


Key words: Data Security, Computer Forensics, IT Auditing; IT Governance and IT 
Legislations. 


I. Introduction 


In this digital era, computer systems are extensively used for private and busi- 
ness communication. While the development of intranet and internet enables 
human communication to become more convenient and cost-effective, it also 
enables the rise of cyber crimes which are more difficult to be dealt with be- 
cause of the complex nature of the crimes. 

There are two categories of computer crimes: criminal activities that has 
a computer as a target, such as a network intrusion or a denial of service attack 
and computer as an instrument facilitating crime. (Kay ,2006) Unlike co- 
nventional crimes, cyber crimes are more sophisticated in nature and harder to 
be detected. The collection of evidence and the ultimate conviction of cyber mi- 
screants are especially difficult because of the digital nature of the informa- 
tion that can be easily altered, hidden or deleted. In order to tackle this problem, 
a new stream of science called computer forensics, also known as cyber fo- 
rensics, IT forensics and e-forensics is being developed. 


615 








Computer forensics science encompasses four key elements: identifica- 
tion, preservation, analysis, and presentation. (Loren, 2004) Computer foren- 
sics, like other streams of forensic science, involve main issues in 
technological, organizational/procedural and legal aspects. This paper sugge- 
sts how IT lawyers/law enforcement officers should work closely with their 
counterparts, i.e. business managers and computer technologists for better data 
protection. 

In order to achieve better data protection, the proper storage of data, 
prevention of outsider intrusion and insider leakage of data and the ultimate co- 
nviction of wrongdoers to achieve deterrence effect are crucial. In the follo- 
wing sections, we will briefly describe the role of technology, organizational 
procedures and legislations in computer forensics. 


ll. Technological Aspect 


A The Nature of Digital Evidence and the Proper Handling of 
such Evidence 


There are two main problems inherent with electronic documents that make 
them more difficult to be analyzed than paper documents. Firstly, they are easy 
to copy and modify........ [Secondly].. is the complexity of different file for- 
mats and different file system structures. (Chow K. P. et al., 2005) In order to 
tackle these problems, computer technologists invented numerous software to 
facilitate computer forensic specialists and law enforcement officers to collect 
digital evidence, make analysis and preserve the originality of the evidence. 
Preserving the originality of the data is crucial for ensuring the admissibility 
of the evidence in court. 


B Collection, Analysis and Preservation of Digital Evidence 


The process of computer forensics begins with the identification and extraction 
of relevant evidence from various data sources. This task is extremely tedious 
and difficult as the evidence is usually modified, encrypted and even deleted 
for covering up the crime and sometimes the evidence was left behind but bu- 
ried in a huge amount of other data. 

A survey done by Kahn Consulting Inc. 2005 revealed that nearly four 
times as many as companies stated that the e-mail discovery process was “dif- 
ficult” or “very difficult” than the number of companies who described the 
process as “routine”. (AIIM & Kahn Consulting Inc. 2005). 

The important steps of computer forensics are to preserve the originality 


616 


of the data and then to make an analysis of the data. Experienced forensic 
examiners will always adhere strictly to the First Rule of data preservation 
which states that the content documents should not be altered in any 
Way....... The Second Rule is that an image must be completely identical to 
the original. Many courts have accepted validation techniques called “Mes- 
sage Digest 5 Hash” (MDS). (Lam, 2005) .If the digital evidence is tainted 
with any trait of alteration during the process of data analysis, its admissibi- 
lity as valid evidence in court may be affected. There are many hardware and 
software to help computer forensic specialists in the process of identification, 
preservation and analysis of the data to ensure admissibility of the evidence in 
court. Some examples of the tools/software are introduced in Appendix I. 


C Training Need of Computer Forensics Specialists/Law 
Enforcement Officers 


Although there are many tools available in the market to help computer fo- 
rensic specialists /law enforcement officers in the process, the inherent pro- 
blem is that still many of these specialists are still not quite familiar with the 
tools, or are even unaware of their availability. 

Benson (2004 ) pointed out that computer forensics was thus becoming 
one of the most important tools in litigation, and it had found its most com- 
mon application in intellectual property litigation. An increasing number of 
courts were ordering forensic inspections of computer systems for the purpose 
of recovering deleted information and those deleted files. 

Despite the importance of computer forensics , Berryhill ( 2005) stated 
that we still found instances in which highly unqualified people had evidence 
placed in their hands by those who should know better. Todd. J Kelly (2004 ) 
also stated that many attorneys had mistakenly used individuals without the 
appropriate expertise only to find out that the evidence was inadmissible in 
court because the methods used were not forensically sound. However it is en- 
couraging to note that many law enforcement units have formed computer fo- 
rensics investigation teams, which comprise members with professional 
knowledge in computer forensics. Besides, many educational institutes also 
developed computer forensics as a special branch of study, usually hosted in the 
law and the computer science faculty. This new area [of study] combines the 
knowledge of information technology, forensics science, and law and gives 
rise to many interesting and challenging problems related to computer security 
and cryptography that are yet to be resolved. (Hui ,et al., 2007) 


617 


lll. Procedural and Organizational Aspect 


A. IT Governance 
It is a golden rule that preventive measures are more important and cost effec- 
tive than remedial and deterrence actions. Furthermore there are legislations 
to compel specific companies such as health and financial firms to keep pro- 
per records of sensitive information of their clients and to protect their privacy. 
Scholars of cyber security and concerned parties (Blount ,2007; Entrusted, 
2004; Federal News Services, Inc. 2004; Info Week, 2004) proposed a proce- 
dural and organizational methodology called IT Governance for proper digital 
data management and compliance with some legal requirements. 

The concept of IT governance is the advocation of procedural and or- 
ganizational strategies which can be summarized as follows: 


e Organizations should formulate strategic plans for secure data ma- 
nagement, 

e The amount of investment on data security should be commensu- 
rate with the firm size and the level of risk that the company may 
face, 

e Top management should recognize the fact that data security is not 
solely technological issue and is not only the concern of the Chief 
Information Officer/the Chief IT Security Officer. In deed it should 
be the concern of all members at various level, 

e Staff at all levels should be trained and be familiar with the guide- 
lines and procedures in the secure data management. 

e Good data management facilitates the retrieval and recovery of di- 
gital evidence, thus proper data storage systems helps an organiza- 
tion a lot in cases of law suits. 


An example of IT Governance is the COBIT Framework, it is an IT Go- 
vernance model[developed by the IT Governance Institute(ITGI) (Petterson , 
2005) that provides over 300 control objectives addressing topics ranging from 
the way that IT departments are managed to the configuration and monitoring 
of software applications. COBIT outlines a high level control objective of “ma- 
naging data” which is designed to ensure that “data remains complete, accurate 
and valid during its inputs, update and storage” (Kahn, et al. , 2005).IT Go- 
vernance involves many issues such as Strategic Management, Risk Manage- 
ment and IT Auditing. It is particularly worthwhile to elaborate a little bit on 
the issue of IT Auditing since we opine that it has close correlation with com- 
puter forensics. 


618 





B. IT Auditing 

With the ever increasing use of computer systems for communication and in- 
formation storage, digital records gradually replace paper records. Such trend 
brings along a great challenge for data management since the digital data is 
more susceptible to alteration, and deletion. The traditional auditing methods 
are no longer effective and the concept of IT auditing has been developed to 
cope with the change. 

IT auditors specialize in the work performed on the automated proce- 
dures. When reviewing controls, it is critical that IT auditors understand on 
which automated procedures they are relying. The IT auditor should identify 
all the key controls in the overall process and then the relevant automated pro- 
cedures (As required by the U.S. Public Company Accounting Oversight Bo- 
ard’s (PCAOB’s) (Norman, 2004) 

In March 2004, the PCAOB completed its extensive review of options 
and issued the Audit Standard No.2 to implement the provision of Section 404 
[of the Sarbanes-Oxley Act 2002].Audit No.2 then requires management to 
base its Section 404 assessments of the effectiveness of its company’s internal 
controls on “a suitable, recognized control framework established by a body 
of experts that followed due-process procedures.” PCAOB identified the fra- 
mework established in the document, Internal Control-Integrated Framework, 
published by the Treadway Commission’s Committee of Sponsoring Organi- 
zations(COSO Framework) as suitable for the purposes of Section 404, and, for 
that reason, would serve as the bases for the performance and reporting stan- 
dards set forth in Audit Standard No.2. (CSIA, 2004) 


C. Methods and Tools for IT Governance and IT Auditing 

For secure data management, it is vital that business managers should embrace 
the concept of IT Governance and IT Auditing, it is equally important that they 
should be aware of the methods and tools available in the market for better 
data management. On cyber security, we have done research, attended a num- 
ber of conferences and read numerous articles over the years, in the process we 
came across some contemporary methods/tools for secure data manage- 
ment.Secure data management covers many issues, the major ones are: (i) ac- 
cess control, (ii) authentication (iii) intrusion detection, (iv) data storage and 
documentation, (v) vulnerability assessment and (vi) security incidents repor- 
ting. There are numerous services/tools for secure data management and we 
only choose relevant services/tools which are particularly useful for IT Go- 
vernance and IT Auditing. We would like to introduce some examples of them, 
the products/services names and their function are highlighted in Appendix II. 


619 


IV Legal Aspect 


A. The Development of Law to Cope with the Rapid Change 


The development of law is a tedious and slow process, the pace of which al- 
ways lags behind the rapid advance and development of science and techno- 
logy. Various countries have been proactively formulating new IT legislations 
to cope with the change; however , the result is far from satisfactory. From our 
5 years of doing research on cyber security and from our literature review, we 
have found that many countries still rely on traditional legislations to combat 
cyber crimes and few countries if not none have developed a comprehensive 
legal systems for cyber security. Therefore the result in combating cyber cri- 
mes is far from satisfactory and there is an imperative need for new legisla- 
tions. In the subsequent sections, we will give an overview of some existing 
legislations for cyber security with special focus on computer forensics in main 
countries. 


B. An Overview of IT Legislations for Combating Cyber Crimes in Main 
Countries 


In order to ferret out the wrongdoers of cyber crimes, put them in court and suc- 
cessfully convict them, IT lawyers/law enforcement officers have to take into 
consideration the following issues: 


e Which legislations are applicable to lay charges against suspects? 
Basically some traditional legislations are still applicable, 

e Are there any legislations that facilitate the search and seizure of 
evidence by law enforcement officers? 

e Are there any specific requirements for ensuring the admissibility 
of evidence? 


In this section, we shall introduce the relevant legislations of the Uni- 
ted State of America, the EU countries and the People’s Republic of China 
(PRC). We chose these countries because the U.S.A. and EU countries are the 
pioneers in cyber security law while the PRC is the most populated country in 
the world and is a rapidly developing country. Appendix III contains a sum- 
mary of the legislations with special focus on computer forensics. 


C. The Effect of Some New Legislations and Amendments of Some Exi- 
sting Legislations on Computer Forensics 


The problem with traditional legislations is that some misbehaviors have never 
been defined or considered. For example, the act of denial of service (DOS) 
attack has never been defined as illegal act in the traditional criminal legisla- 


620 








tions of most countries. In the DOS attacks, there is no physical damage nor 
any misappropriation of properties to render the act illegal pursuant to the tra- 
ditional criminal legislations, nor it is easy to apply the common law doctrine 
of trespass to hold the miscreants civilly liable for any damages arising out of 
the acts. The situation has been improved since some new legislations and the 
amended legislations have been introduced, which clearly define certain be- 
haviors in the digital world as illegal. 

In the old days, law enforcement agencies faced the risk of intruding 
into the privacy and human right of suspects in the process of surveillance in 
computer systems and seizure of digital evidence. Some new legislations, for 
example the Electronic Privacy Communications Act 1986 U.S.A. and the Fe- 
deral Pen-Trap Statute of U.S.A. were enacted to provide proper guideli- 
nes/procedures about surveillance in intranet and internet networks and seizure 
of digital evidence. New legislations were also introduced to lessen the re- 
strain on the law enforcement officers in investigation process, for instance the 
Foreign Intelligence Surveillance Act allows federal government to monitor 
electronic communication of foreign powers and agents of foreign powers lo- 
cated in the United States. Moreover, the new legislations require certain com- 
pany to keep proper record of the digital information and have to report security 
breach incidents promptly. All these measures definitely help a lot in the com- 
puter forensics. Law enforcement officers have more free hands to ferret out 
the miscreants and successfully convict them. 

The international Cybercrime convention and other treaties set out the 
co-operation measures to prevent cross border crimes and make the collection 
of evidence, exchange of intelligence and extradition of suspect easier across 
the borders. 


V. Conclusion 


This paper has defined the meaning of computer forensics and depicted its na- 
ture and development. During our research in cyber security over the years, 
we have read considerable number of journals and articles about cyber secu- 
rity and also met numerous members of the three groups of professionals na- 
mely IT technologists, business managers and IT lawyers/law enforcement 
officers in various conferences and meetings. It was often pointed out by some 
authors and scholars that some of the professionals are not quite acquainted 
with the work of their counterparts in cyber security. We share such notion. 
One of the research objectives of the lead author’s doctoral thesis is to 
identify the gap among them. There is a perceptional gap among them, espe- 
cially the gap between IT technologists and IT lawyers/ enforcement officers. 
This may be due to the fact that IT technologists and IT lawyers/enforcement 


621 


officers come from two quite distinct discipline of study. Therefore, in this 
paper we deliberately present tables at Appendix I, II & III about the so- 
ftware/tools, methodologies and legislations in relation to cyber security for 
their reference, just to let them know more about their counterparts’ work. 

In order to narrow the gap among them, the three groups of professio- 
nal should pay more attention to the development of other professionals, aca- 
demic conferences of themes covering inter-disciplinary issues are good 
platforms for exchange of ideas. We also concur with the opinion of some scho- 
lars that technology, organizational procedures, legislations, each aspect alone 
cannot solve the problem of cyber crimes. Only with the co-operation of the 
three groups of professionals, only when they work closely together and adopt 
a common and holistic approach, there is hope to procure a more secure digi- 
tal environment. We propose below a model on comprehensive solution for 
computer forensics based on the model designed by Mak Kwok Hung & Kwan 
Irene (2004 and 2006) on comprehensive IP protection on Internet. 


Model on Comprehensive Solution for Computer Forensics 










Procedural and 
Organizational Aspect : 





Awareness of Prevention: Methods and Softwares The Gramm-Leach-Billey Act 1999 
Security Participation At All Levels The Sarbanes-Oxley Act 2002 
Enough Funding On IT Security Comnensurate HIPAA 2005 


With Cyber Attack Risk The E-SIGN Act 2005 and the Uniform Electronic Transactions Act 
Council of Europe-Convention on Cyber Crime 1997 
















Technological ————— Legal Aspect : 
Aspect: IT Security Compliance 
Legislations 






Software to Identify and 
Recover Files, 






Legislations against Hackers, 
International Treaties/ 
Agreements 









Criminal and Civil sanction 
on Cyberr Crimes 
Admissibilty of the Evidence 





References 


1) AIIM & Kahn Consulting Inc.( 2005) “Electronic Communication Policies and Pro- 
cedures: A 2005 Industry Study”, AIIM-The ECM Association, MD, USA 2005, 
<www.KahnConsultingInc.com> k 

2) Benson, R. ( 2004) “The Increasing Significance of Computer Forensics in Litiga- 
tion”, Intellectual Property & Technology Law Journal, Clifton, Nov 2004, Vol.16 
Iss. 11 Pg. 1 

3) <http://proquest.umi.com.dbgw.lis.curtin.edu.au/pqdweb> last visited on 3/22/2007 

4) Berryhill, J ( 2005) “Finding a Qualified Computer Forensic Analyst”, Law Enfor- 
cement Technology, Melville, May 2005, Vol.32, Iss. 5, Pg.122 <http://pro- 


622 








quest.umi.com.dbgw.lis.curtin.edu.au/pqdweb> last visited 3/21/2007 

5) Blount, S. (2007) “The Role of Security Management in Achieving ‘Continuous 
Compliance’ ” , White Paper , Computer Associate, U.S.A. 2007 at < 
http://www3.ca.com > last visited on 2/12/2007 

6) Chow K etal (2005) “Digital Evidence Search Kit”, Proceedings of the First Inter- 
national Workshop on Systematic Approaches to Digital Forensic 
Engineering(SADFE 2005), Taipei, Taiwan, November 7-10, 2005, IEEE Computer 
Society Press at < http://i.cs.hku.hk/~cisc/forensics/papers/DESK.pdf > last visited 
9/17/2007 

7) Entrust (2004) “Information Security Governance(ISG)-An Essential Element of 
Corporate Governance”, Entrust 2004 at <http://www.entrust.com> 

8) CSIA (2004) “Sarbanes-Oxley Act: Implementation of Information of Information 
Technology and Security Objectives” , Cyber Security Industry Alliance, DC , USA, 
December, 2004, at <http:/Awww.csialliance.org 

9) Hui C „et al (2007) “Tools and Technology for Computer Forensics : Research and 

Development in Hong Kong (Invited Paper)”, Proceedings of the 3rd Information 

Security Practice and Experience Conference(ISPEC 2007), Hong Kong, China, 7-9 

May 2007, LNCS 4464, pp. 11-19 at < http://i.cs.hku.hk/~cisc/forensics/publica- 

tion.html > last visited 9/17/2007 

Information Week, Network Magazine & Security Pipeline 2004, “Intrusion - Pre- 

ventionStrategies.- Playbook - the Business IPS Guide”, Information Week, Ne- 

twork Magazine & Security Pipeline 2004, U.S.A. 

11) Kahn, R. & Barclay T. (2005) “Compliance: Moving Beyond the Headlines”, Kahn 

Consulting Inc. 2005. at < http://wp.bitpipe.com/resource/org > last visited 

2/1/2006 

Kay, R (2006) “Computer Forensics”, Computerworld, Framingham, Apr.17, 2006, 

Vol.40, Iss.16, Pg.49 <http://proquest.umi.com.dbgw.lis.curtin.edu.au/pqdweb> last 

visited on 3/6/2007 

Lam, R. ( 2005) “Computer Forensic Issues and e-Disclosure”, Grant Thornton In- 

sight Winter 2005, Grant Thornton 2005 at <http://www.gthk.com.hk/upload/in- 

sight/Winter05/08 .html> 

14) Mak Kwok,H. & Kwan, I.( 2004) “The Protection of Intellectual Property on Inter- 
net in the People’s Republic of China(PRC) : Towards a Comprehensive Solution”, 
International Association of Computer Information Systems (IACIS) Pacific 2005 
Conference, Taiwan May, 2005 at < http://www. iacis.org > 

15) Mak Kwok ,H. & Kwan I.( 2006) “A Review and Analysis of Inter-organizational 

and International Cooperation against Cross Border Cyber Crimes”, The First Inter- 

national Conference on Legal, Privacy and Security Issues in IT, Hamburg, Ger- 

many April 30 — May 2, 2006 Proceedings Vol..1 pp525--546 at < 

http://www.kierkegaard.co.uk > 

Marks, N.( 2004) “The More Things Change....”, the Internal Auditor, Altamonte 

Springs, Aug.2004, Vol.61, Iss.4, Pg.60 

<http://proquest.umi.com.dbgw.lis.curtin.edu.au/pqdweb> last visited on 3/23/2007 

17) Loren,M. ( 2004) “Computer Forensics : Characteristics and Preservation of Digital 
Evidence”, FBI Law Enforcement Bulletin, Washington, Mar. 2004, Vol.73, Iss. 3 
Pg.28 

18) <http://proquest.umi.com.dbgw.lis.curtin.edu.au/pqdweb> last visited on 3/23/2007 

19) Petterson, M. ( 2005) “The Keys to Effective IT Auditing”, the Journal of Corporate 
Accounting & Finance, Hoboken, Jul/Aug 2005, Vol.16,Iss5, Pg.41 

20) <http://proquest.umi.com.dbgw.lis.curtin.edu.au/pdf> last visited on 3/23/2007 


10 


Sa 


12 


xw 


13 


N 


16 


~ 











Appendix ! 
Hardware and Software for Digital Evidence 


























Purpose/Functions | Name of Services/Products Services/Products Providers 
Norton Anti-Virus 2008 Norton 
IPSec Microsoft 
Access Control, Safe Net Safe net Computer 
Intrusion Detec- 
tion/Prevention | Phoenix Phoenix Technologies 
and Authentication | Connectra Check Point 
IBM Proventia Network Intrusion 
Prevention Systems(IPS IBM 





EMC Centera & Content Addressed 
Storage 











Data Storage and 
Documentation 









Computer Associates 





Storage Resource Mana 
IBM Storage 


er 





















Enterprise Security Manager Symantec 
Vulnerability [NetIQ netiQ 
Assessment Novell ZENworks Patch Manage- 


ment Novell 


Vulnerability Remediation 


SecureGate Firewall IceWALKERS 
Microsoft ISA Server 2000 Microsoft 





Security Incidents 
Reporting 




















The above table is re-constructed by us basing on the table provided by Bigler 
Mark 2001, with simplification, updating, and addition of relevant information from 
ACA-Pacific 2004a, and CHOW K.P. & others 2005. There are many other tools and 
providers and Bigler Mark and we arbitrary named some tools from leading firms for 
illustration purpose. 


624 











Appendix Il 
Services /Products for Secure Data Management 


with Special Focus on IT Auditing and Risk Management 
















roducts/Services 
Providers 


ARMOR 
FORENSICS 


DIBSUSA INC 
Guidance Software 


Purpose/functions Name of Products/Services 









Fnames GetFree GetNames GetTime; 
GetHTML GetGIFTextSEarch NT 


Access Dats’s Forensic Toolkit 


Encase eDiscovery Suite 


Norton Ghost 12.0 
Backup Exec System Recovery 


D.A.R.T. XP Data Recovery ; 
Recover ItAll Digital Picture Recovery 

e-Recovery for Outlook Express Retro Burner DTIDATA 
Fast File Undelte (Fat16/32) 


Connectra Check Point 
Access Data’s Forensic Toolkit DIBSUSA INC 













Identification and re- 
covery of digital evi- 
dence 






Norton 














SafeBack 3.0 (SHA 256 Bit Hashes) ARMOR FOREN- 
DiskSigPro CreMD5 SICS 


Encase e Discovery Suite Guidance Software 


Password Recovery Toolkit DIBSUSA INC 


J ARMOR 
Advanced Password Recovery Software Tool Kit FORENSICS 


Imagining 


Password/ 
Encryption Crackers ‘ 
Advanced Quickbooks Password Recovery Computer Associates 


; ; ARMOR 
Analysis Software Suites FORENSICS 





Mobile Forensic Workstation 
Advanced Forensic Workstation DIBSUSA INC 
Access Data’s Ultimate Toolkit 














Encase e Discovery Suite Guidance Software 


h 
h 
h 










DIBSUSA INC p://www.dibsusa.com 
DTIDATA http://www.dtidata.com 


hi 
> : 
i 


Sources of the above information from: ACA Pacific 2004a, ACA Pacific 2004b, 
Carleton Jarad 2005 and Fronbridge Technologies Inc. 2004 


A 
Guidance Software p://www.guidancesoftware.com 


p://www.03 ibm.com 







625 











Appendix 3 
Legislations for Better Data Security 


with Special Focus on Computer Forensics 


Purpose/Function Name of Legislations Key Points of the Legislations 


Prevention of Illegal | The Criminal Damage Act 1971 of The deliberate and unauthorized dele- 
Access, Interference | U.K. tion of programs from the computer- 
Alteration and Mis- ized workplace. ..violates Section 1(1) 
appropriation of of the Act 


Digital Information Section | of the Act makes unautho- 
rized access an offence 


etc 

Section 1030, punishes any intentional, 
unauthorized access to a protected 
computer for illegal purpose.. 






































The Computer Misuse Act 1990, of 
UK. 


Title 18 U.S. Code of 1994 (formerly 
the Computer Abuse Amendment Act 
1986), of U.S.A. 


Regulations on Safeguarding Com- 
puter Information Systems 1994, of 
PRC 





















No body may use computer informa- 
tion systems to engage in activities that 
endanger national or collective inter- 
ests, as well as the legitimate interests 
of citizens. 
Article 1-Definition of “Computer Sys- 
tems”, ” Computer Data”, “Service 
Provider” and “Traffic Data”; 

Article 2 -Illegal Access; 

Article 3 — Hlegal Interception; 

Article 4- Data Interference; 

Article 5-System Interference and 
Article 6-Misuse of Devices; 

Article 7- Computer Related Forgery; 
Article 8-Computer Related Fraud 


Protects users of the Internet from un- 
knowing transmission of their person- 
ally identifiable information through 

spyware programs. 
Regulates information brokers and pro- 


tects individual rights with respect to 
personally identifiable information. 







































Council of Europe-Convention on Cy- 
bercrime 1997 

Chapter II-Measures to be Taken at the 
National Level 

Section 1-Substantive Criminal Law 
Title 1-Offences Against The Confi- 
dentiality, Integrity and Availability of 
Computer Data and Systems 

Title 2 -Computer Related Offence 
Title 3 -Content Related Offence 


Securely Protect Yourself Against 
Cyber Trespass Act (The SPY ACT) of 
2005 of U.S.A. 




























Information Protection and Security 
Act of 2005 of U.S.A 
































Title III of the Omnibus Crime Control 
and Safe Streets Acts of 1968, 
amended by the Electronic Privacy 
Communications Act of 1986 of U.S.A 


Federal Pen-Trap Statute of U.S.A. 


Governs all interception of electronic 
communications conducted by federal 
law enforcement investigators. 


Surveillance, Seizure 
of Evidence, Admis- 
sibility of Evidence 
and International 
Cooperation in Com- 
bating Cyber Crimes 





Provides a less intrusive mechanism to 
monitor e-mail ...Any law enforcement 
agent that uses a pen-rap device with- 
out first acquiring a court order is sub- 
ject to a fine and up to a year in prison 


















Precedent Case R v Brown in the 
House of Lord of U.K. 


Held that access by the police defend- 
ents into the Police National Database 
to check the registration numbers of 
vehicles for purposes other than that of 
policing was not an offence contrary to 
Section 5(2) of the Data Protection Act 
1984(before that in Section 161 of the 
Criminal Justice and Public Order Act 
1994) 


Allows the federal government to mon- 
itor electronic communication of for- 
eign powers, and agents of foreign 
powers located in the United States... 
























The Foreign Intelligence Surveillance 
Act (FISA) of U.S. A. 








626 

















Key Points of the Legislations 


Purpose/Function Name of Legislations 


Surveillance, Seizure | Federal Rule of Evidence 901 of 
of Evidence, Admis- 
sibility of Evidence 
and International 















Evidence must be authenticated, no in- 
advertent or purposeful contamination 

occurred, to be admissible against a de- 
fendant at trial... 


























Cooperation in Com- }—— SISET : i 
bating Cyber Crimes Criminal and Civil Liability; Employ- | Any FBI agent that engages in the ille- 
(Continued) ment Termination of U.S.A. gal, unauthorized conduct of electronic 


surveillance commits a federal crimi- 
nal offense punishable by imprison- 
ment for up to five years, a fine, or 
both. Every law enforcement agent 
who illegally conducts electronic sur- 
veillance is subject to immediate termi- 
nation. 


Article 23- General Principles Relat- 
ing to 


International Co-operation, 

Article 24 —Extradition, 

Article 25- General Principles Relat- 
ing to Mutual 

Assistance, 

Article 26 -Spontaneous Information, 
Article 27 - Procedures Pertaining to 
Mutual Assistance Requests in the Ab- 
sence of Applicable International 
Agreements. 

Article 28 — Confidentiality and Limi- 
tation on Use 

Article 29 -Expedited Preservation of 
Store Computer Data. 





Council of Europe-Convention on 
Cyber Crime 1997 

Chapter II] —International Co-operation 
Section l- General Principles 

Title 1-General Principles Relating to 
International Co-operation 

Title 2-Principles Relating to Extradi- 
tion 

Title 3-General Principles Relating to 
Mutual Assistance 

Title 4- Procedures Pertaining to Mu- 
tual Assistance Requests in the Ab- 
sence of Applicable International 
Agreements 


































To provide health portability, fraud en- 
forcement, and administrative simplifi- 
cation for the healthcare industry. 


Keeping Proper 
Records and Main- 
taining Privacy 


The Health insurance Portability and 
Accountability Act (HIPAA) of 1996 
of U.S.A. 





















Federal Pen-Trap Statute of 
U.S.A.Council of Europe-Convention 
on Cyber Crime 1997 

Title 2-Expedited Preservation of 
Stored Computer Data Section 


Article 16- Expedited Preservation of 
Stored Computer Data. 

























State Secrets Protection Regulations 
for Computer Information systems on 
the Internet 2000, of PRC 


Article 8 stipulates that the principle 
of responsibility for regulating the rev- 
elation of state secrets on the Internet. 
Article 10 requires ISPs BBS etc to set 
up their own management mechanisms 
to assist in ensuing that no state secrets 
are transmitted on the Internet by their 
users. 
















The Sarbanes-Oxley Act (SOX) of 
2002 of U.S.A. 


Section 404 requires senior manage- 
ment of publicly traded companies 
both to (i) establish and maintain ade- 
quate internal controls for financial re- 
porting and (ii) assess annually the 
effectiveness of those controls. 




















Keeping Proper The Gramm-Leach Bliley Act (GLBA) | To enhance the privacy and security of 
Records and Main- | of 1999 of U.S.A. amended by the Fi- | Nonpublic Personal Information(NPI) 
taining Privacy nancial Privacy Breach Notification for consumers doing business with fi- 
(Continued) Act of 2005. nancial institutions.. 

































Criminal and Civil Liability; Employ- 
ment Termination of U.S.A. The Soft- 
ware Principles Yielding Better Levels 
of Consumer Knowledge Act (SPY- 

BLOCK) of 2005 of U.S.A. 


The E-SIGN Act of 2005 and the Uni- 
form Electronic Transactions Act) of 
U.S.A. 


To require clear disclosure to computer 
users of certain computer software fea- 
tures that may pose a threat to user pri- 
vacy. 





















Grants electronic signatures and elec- 
tronic records the same legal recogni- 
tion as their paper counterparts. 
Encourages the use of electronic 
records for business, it also makes 
clear that organizations must properly 
mange those records. 








Sources of the information are from: CipherTrust 2005, Computer Crime Research 
Centre 2004 a & b, Condon Ron 2006, Council of Europe 2001, CSIA 2004, CSIA 
2005a, CSIA 2005b, Dunham Griffin S. 2002, Hamin Zaiton 2000, Hsai Tao Tai 2002, 
Kahn Randolph A & Barclay T. Blair 2004, Kahn Randolph A & Barclay T. Blair 2005, 
Li Xingon 2002 and Mercer D Loren 2004. 


628 








TECHNOLOGICAL AND LEGAL ASPECTS OF 
COMMUNICATIONS AND INFORMATION 
SECURITY: 

CASE STUDY OLYMPIC GAMES 


Peter Stavroulakis 


Professor of ECE 
Technical University of Crete, Greece 


pete_tsi@yahoo.gr 


Steven Stavroulakis 
Law Student 
stevenstavroulakis@yahoo.gr 


Abstract: In this paper, we present the technological and legal 
aspects of Communications and Information Security as they apply to 
the design of secure large scale telecommunications systems. The 
example that is used has been implemented successfully to recent 
Athens/2004 Olympic Games. The OSI seven layer Model is used to in- 
dicate main system vulnerabilities and the way that can be faced layer 
by layer with reference to security. The relevant legal framework that 
applies in such cases is also presented. A specific application is pro- 
posed ina telemedicine environment and it is shown that it can have 
similar applications to general Chemical, Biological, Radiological and 
Nuclear ( CBRN) incidents. 


1. Introduction 


The Subject of information security[1,2], the transfer of accurate and un- 
compromised information as well as the secure transfer of information has 
become an International issue ever since 3lof December of 1999. The year 
2000 scare which has been coded as the Y2K scare refers to what prominent 
scientists and business people feared that all computer networks and the sys- 
tems that are controlled or operated by them could break down with the turn 
of the Millennium since their synchronizing clocks could lose synchroniza- 
tion by not recognizing a number ( instruction) with three zeros. A positive 
outcome of this scare was the creation of the various CERTS (Computer Emer- 
gency Response Teams) around the world which now work cooperatively to 
exchange expertise, information and be coordinated in case of major problem 
_arises in the modern IT environment. The nucleus of this effort, initially, was 
the collaboration of USA, UK and Australia by forming the first International 
CERT in order to cooperatively solve this type of problems. The terrorist attack 


. 629 








in New York on 11 September 2001 caused this scare to become a permanent 
International nightmare. The International community responded quickly to 
face both fronts using sophisticated technology. One front being the transfer 
of reliable information via secure networks and the other being the collection 
of information about potential terrorists even via sophisticated surveillance 
and information collecting mechanisms. Now all people around the word live 
more or less under the impression that the whole world is nothing but a “Big 
Brother” living space and thus, the need of the legal framework to protect 
them. 

The Athens Olympic Games 2004 was the testing ground for the exi- 
sting technology to prove that leading age technological means are available to 
secure major international events. Unfortunately technology so far cannot be 
used effectively in all cases without violating the legal framework, as we shall 
see in later on which was created to make the people feel that their personal 
data are protected . We have the example of the Greek Cellphone Caper which 
became a major article in the July 2007 issue of the spectrum magazine of 
TEEE. This has been coded as the Athens affair and show how extremely smart 
hackers with apparently inside information pulled of the most audacious cell- 
network braking ever. It was found that the cellphone o Prime Minister of Gre- 
ece was bugged along with 100 other high ranking officials and dignitaries of 
the government including an employee of the US Embassy. 


2. Technological aspects 


Technology, therefore, offers a great tool in the direction of making people feel 
more secure but misused can violate fundamental rights. The most common 
good of the people in modern societies, since we are living through the Infor- 
mation Revolution, is information in general and the way it is transferred from 
the source to those who can use it or misuse it. Thus, we cannot use techno- 
logy and implement secure networks without, at the same time, examining 
their legal implications as we shall see in this paper in the case study of the 
Olympic Games. First we shall analyze the vulnerable points of communica- 
tions networks, which are used for secure information transfer and then exa- 
mine the legal framework that exist in which they have to operate. For 
purposes of an integrated approach for an audience which may not be entirely 
technical nor have only legal background, we shall use the Seven Layer Ne- 
twork Model which is referred to as the Open System Interconnect model 
coded by the code word OSI. 

Secure information transmission has been a main concern since ancient 
times. It is well known the way Agamemnon the king of Mycenae sent the 
message to his Queen Klytemnistra that they captured Troy to get Helen back 


630 








by sending her a coded light message over the mountains from Troy to Myce- 
nae. 


2.1 OSI Model 


With modern analytical tools, information networking has been based on a 
seven layer model —the open systems interconnect (OSI) Seven Layer Network 
Model as shown in figure 1.[see reference 3] 

This model concept will be used in the context of information security. 
It presents concisely what technological parameters are critical in communi- 
cation and information security and that the layer by layer approach to secu- 
rity is the most appropriate in order to make sure that all possibilities for 
security compromise are covered . This approach also helps the technologists 
to offer a cure and face effectively a specific threat instead of using a trial and 
error approach without any real results. This model also help us to determine 
whose responsibility is any specific action required. We thus have to analyze 
vulnerabilities of each layer related to security and develop specific controls to 
avoid security compromises. 

Putting all together the elements of this approach will develop an equ- 
ivalent seven layer security model shown in figure 2.[3] This model more or 
less presents the specific response of the technology to various security thre- 
ats ateach layer. In the following discussion, we shall take each layer and 
examine it on the basis of its formal definition, its practical place in the ne- 
twork and presents possible controls for possible relevant risks and threats. 


2.1.1 Physical Layer 


The Physical layer as shown in figure 2 is responsible for the physical com- 
munication between end-stations. It’s main vulnerabilities are disconnection 
of physical data links, interception of data, physical damage and destruction of 
data hardware. The controls for this case include notarization and signature as 
they are provided by detailed authorization, biometric based authorization sys- 
tems and video or audio surveillance. 


2.1.2 Data link layer 


The data link layer is concerned by the logical elements of transmissions be- 
tween two directly connected stations. This is the layer where data package are 
prepared for transmission by the physical layer. It transmit package from node 
to node based on station address. The data link layer is the realm of Medium 
Access Controls (MAC) Addresses and Virtual Local Area Networks(VLANS) 


631 








and Wide Area Networks( WANs) protocols such as frame Relay and Asyn- 
- chronous Transfer Mode( ATM). It’s main vulnerabilities are MAC address 
spoofing and VLAN circumvention. The controls that technology can provide 
are MAC Address filtering and the separations of trusted layers. 


2.1.3 Network Layer 


The Network layer is the last layer that has physical correspondence to the real 
world. It routes data to different LANS ad WANS based on Network Addres- 
ses. It then determines what path a package would need to take to reach a final 
destination over multiple possible data links and paths over numerous inter- 
mediate hosts. Its main vulnerability are route and Inteconnect Protocol (IP) 
address spoofing. Technology faces this problem by implementing confiden- 
tiality measures that lead to strict route policy controls, firewalls and broadca- 
sting of monitoring software. 


2.1.4 Transport Layer 


This layer is the first purely logical layer and its main function is to multiplex 
and sort various data conversations from or to a single host and thus to ensure 
data integrity. Its main vulnerabilities are mishandling of undefined or purely 
defined or illegal conditions. Technology in such a situation can offer strict fi- 
rewall based controls to limit access to specific transmission protocols. 


2.1.5 Session Layer 


This layer plays the role of the traffic lights of the whole process and provides 
coordination of the communications in an orderly manners. It makes sure that 
a previous request has been fulfilled before the next one is sent. It also marks 
significant parts of the transmitted data with check points to allow for fast re- 
covery in the events of the connection failure. It is therefore responsible for en- 
suring non-repudiation. Its main vulnerabilities are leakage of information 
based on failed authentication attempts do to weak or non-existent authentica- 
tion mechanism. The main controls available are encrypted password exchan- 
ges and storage and timely expirations for credentials and authorization of 
accounts. 


2.1.6 Presentation layer 


The presentation layer deals with the organization of data passed from the ap- 
plication layer into the network. It also ensures that the information is accep- 
table to the application and session layers by using various conversion schemes 


632 








to convert from the standardized format into nonspecific local formats. It also 
controls network layer and enhancements such as compression or encryption. 
Its main vulnerabilities are poor handling of unexpected external input which 
can lead to remotely manipulation or information leakage. The controls that 
can be used are effective access control mechanisms. 


2.1.7 Application Layer 


A function non-pertaining directly to network operation occurs at this layer. 
For example, a program in a client workstation uses commands to request data 
from a program in the server. Common functions at this layer are opening, clo- 
sing, reading and writing files, transferring files, executing remote jobs and 
email messages and obtaining directory information about network resources. 
The main vulnerabilities of this layer are poor or non existent security designs 
of the basic function of an application. The leading security controls of this 
layer are the accurate and strict authentication schemes. 

We observe that for any networking process, we have before hand in our 
design a basket all possible counter-measures for any possible threat. The qu- 
estion is whether those fixes are always used in designing secure networks 
especially those implemented for mass use . The answer is positively no for 
two reasons. One reason being that those fixes may be very expensive or tech- 
nically inappropriate because the specific technology required may not be 
mature yet even though may exist. The other reason is that the specific appli- 
cation in order to be entirely effective must violate certain legal aspects of the 
legal framework in existence. More important cases are the wireless networks 
which are by definition more vulnerable to external attacks. Those are also the 
ones that have been used ina large scale in the Olympic Games, the starting 
point being the Athens Olympics/2004. The following discussion, therefore, 
without loss of generality is devoted to wireless networks vulnerabilities as 
they can be used in Olympic Games. 


2.2 Secure wireless systems 


The OSI model applied to wireless systems explained above as an overall sys- 
tem from the security point of view can be described by the use of a table as 
shown in table 1. by mapping the security threats into security goals. We can 
thus proceed to examine how an overall wireless system can be designed to 
provide high level protection. 

The main universally available wireless systems are the cellular sys- 
tems. These systems, however, do not provide high level security because they 
are intended for mass use and the controls we presented above have not been 


633 











implemented in the design and implementation of their layered structure. Im- 
plementation of all counter measures layer by layer available, would make 
these systems very expensive and non profitable to the service providers and 
thus they are not used for implementing secure networks. We have the exam- 
ple of the Athens Caper we mentioned above. 

The European Telecommunication Standards Institute (ETSI) has wor- 
ked in the direction of developing a secure wireless system of the cellular type 
for the last ten years. The outcome of this effort has been the development of 
the TErrestrial Trunked RAdio System which is coded y the acronym TETRA. 
The TETRA system has been designed to correct the security flaws of other 
mobile cellular systems by incorporating most of the controls mentioned above 
and shown in table 1.and has been standardized for large scale use. All seven 
layers have been more or less designed with the appropriate controls for se- 
cure communication and information transfer and it is been used by all public 
safety organizations of Europe including medical emergency services. A spe- 
cialized telemedicine application is shown in Figure 3 based on TETRA. 

This particular TETRA based application can be used for telemedicine 
applications in an Olympic Games environment as they relate to chemical, 
biological, radiological and nuclear(CBRN) threats. This system was used for 
the first time during the Athens Olympic Games/2004 with great success. It 
was designed to be able to face, among other things incidence in a general 
emergency telemedicine environment. These type of super-secure systems, as 
it can be seen in figure 3, even in these type of applications, use surveillance 
techniques, personal information/data of a potential victim(s) or terrorists 
which if misused may violate fundamental rights of those involved. 

We thus need to examine the general legal framework under which these 
applications fall, since their usage in Olympic Games have international im- 
plications. With the advent of internet and the substitution of the telephone by 
the computer, secure communications and secure information transmission 
through computer networks is the main concern of the international community. 
Today, these international actions concern all of the legal areas dealt with: com- 
puter-related infringements of privacy, computer-related economic crime, in- 
tellectual property protection, illegal and harmful contents, computer-related 
procedural law, as well as legal regulations on security measures. The Organi- 
zations involved are OECD, Council of Europe, European Union, UN, G8, 
WIPO, WTO. 


634 








3. Legal Aspects of Secure information Networks[3,5] 


It is obvious that we are living through a new Revolution which can be coded 
as Information Revolution as mentioned above. As the industrial revolution 
created fundamental social changes and changed the international legal fra- 
mework existing at that time, so is doing the information revolution. Techno- 
logy misuse has created new crimes and the appropriate authorities do not have 
yet the necessary and socially acceptable tools to face these new problems, wi- 
thout violating fundamental rights such as violation of personal data and in- 
tellectual property protection. Globalization as a result of this revolution seems 
to require different protection tools from those that the individual nations ac- 
cept and believe are necessary. This conflict has created a new environment 
characterized by the code word information warfare. The legal framework that 
exists and covers the implementation of the systems introduced above is 
presented briefly below. Thus whoever is implementing the systems we men- 
tioned above and the telemedicine systems with CBRN applications to be 
presented below is obliged the work within this legal framework. 

This international framework consists of a number of treaties the most 
significant of which is the International Telecommunication Convention of 
1982 (ITC) under the umbrella of the International Telecommunication Union 
ITU. Relevant articles of the ITC provide for security related matters in com- 
munications and information transfers. 

The first comprehensive proposal for computer crime legislation was a 
federal Bill introduced in the US Congress by Senator Ribikoff in 1977. The 
Bill was not adopted, but this pioneer proposal created an awareness all around 
the world. As a result of this, the National Institute of Standards and Techno- 
logy NIST issued in November 2002 a set of recommendations in furthe- 
rance of its statutory responsibilities under the Computer Act of 1987 and 
the Information Technology Management Act of 1996 that cover Wireless 
Network Security. 

Various other international and supranational organizations realized that 
the mobility of data and the transnational character of computer crime requ- 
ired international harmonization of the respective laws at an early stage. With 
respect to the international harmonization of law, the international organiza- 
tions started various actions which have already considerably influenced and 
co-coordinated the legal development of national laws. 

At the European level, a comprehensive study based on a contract be- 
tween the European Commission (DG XIII) and the University of Würzburg 
which led to a study titled << Legal aspects of Computer related Crime in 
the Information Society-COMCRIME 1998 Study by Prof. Dr. Ulrich Sie- 
ber>> has provided the European Commission with up-to-date information 


635 

















on the legal issues of computer-related crime, especially with respect to sub- 
stantive criminal law, procedural criminal law as well as the suggestion of al- 
ternative solutions. The contract also includes the establishment of a database 
with the relevant national computer crime statutes of substantive criminal Law 
(see note 1) Deficits of clearly defined European solutions exist especially with 
respect to non-legal measures as well as with respect to economic criminal law, 
illegal and harmful contents, criminal procedural law, security law as well as 
the sanctions in the field of data protection law. This study also includes re- 
commendation for actions on the part of EU to solve these problems. This 
study had as a background the previous EU work and activities. The OECD 
in Paris appointed in 1983 an expert committee to discuss computer-related 
crime and the need for changes in the Penal Codes. As a result of the commit- 
tees proposals, the OECD recommended the member countries to ensure that 
their penal legislation also applied to certain categories of computer crime. The 
proposals included a list of acts which could constitute a common denomina- 
tor between the different approaches taken by the member countries. Another 
expert committee was appointed by the Council of Europe and the legal issues 
was further discussed leading to the Recommendation No. R(89) 9. This Re- 
commendation was adopted by the Council of Europe on September 13, 1989. 
It contains a minimum list of offences necessary for a uniform criminal policy 
on legislation concerning computer-related crime as, and an optional list. (see 
note 2). The Council of Europe adopted on September 11,1995, another Re- 
commendation concerning problems of procedural law connected with Infor- 
mation Technology. 

A Committee of Experts on Crime in Cyberspace (PC-CY) was appoin- 
ted by the Council of Europe in 1997 in order to identify and define new cri- 
mes, jurisdictional rights and criminal liabilities due to communication on the 
Internet. Canada, Japan, South Africa and the United States were invited to 
meet with experts at the Committee meetings and participated in the negotia- 
tions. The Convention was finally adopted by the Ministers of F oreign Affairs 
on November 8, 2001. It was open for signatures at a meeting in Budapest, 
Hungary, on November 23, 2001. Ministers or their representative from 26 
member countries together with Canada, Japan, South Africa and the United 
States signed the treaty. The total number of signatures are 33. Other countries 
outside the Council of Europe may later be invited to accede to the Convention. 
The treaty will come into force when five countries, at least three member co- 
untries have ratified it.(see note 5) The subject was also discussed at the 13th 
Congress of the International Academy of Comparative Law in Montreal in 
1990, at the UN's 8th Criminal Congress in Havana the same year(see note 3), 
and at a Conference in Wurzburg, Germany, in 1992. (see note 4) 


636 








For specialized matters such as those that cover tools with regard to 
Crypto ,digital signatures and digital evidence, the relevant directive 
1999/93/EC/13-December 1999 is in effect. A more general framework that 
covers the legal aspects of Open Public Networks in general and applies in 
England , Northern Ireland and Wales is the Data Protection Act 1998 as it re- 
lates to the rights of Individuals to have access to their personal data held by 
certain bodies along with the Regulation of Investigatory Powers Act 2000 
compounded by the Anti —Terrorist, Crime and Security Act 2001. 


4. An Emergency Telemedicine System/Olympic Games 
application 


The system presented briefly below is an example of an application of a 
telemedicine type infrastructure with CBRN applications which uses to a 
large extent the technological components presented in section 2 and is bound 
by the legal framework mentioned in section 3. 

The system coded by the code word E-112 [4-13] is an upgraded tech- 
nologically expert medical care, which was originally designed to improve 
emergency health care services at understaffed rural areas and out of coverage 
urban spots such as the metro rail stations. It can equally be applied to emer- 
gency medical services due to a possible CBRN incident in an telemedicine en- 
vironment during a large scale secure telecom system application such as 
Olympic Games. The heart of the system as a communication medium is a 
TETRA system and thus the legal framework explained above with emphasis 
on wireless Network Security [5] holds. All security technical criteria covered 
in section 2 and the legal aspects of section 3 are applicable here. 

The fields of interest of this paper are Ambulances, Rural Health Cen- 
ters (RHC), Ships navigating in wide seas, Airplanes in flight and other remote 
areas of interest that are common examples of possible emergency sites.. To 
comply with different growing application fields a specific module is used for 
each CBRN case as shown in figure 3 and 4. The telemedicine module is a 
combined real-time, store and forward facility that consists of a base unit and 
a telemedicine-mobile unit. This integrated system can be used to: 


e Handle emergency cases in ambulances, RHC, ships or airplanes by 
using the telemedicine unit at the patient - emergency site and the ex- 
pert’s medical consulting at the base unit. 

e Enhance intensive health care provision by giving a portable base 
unit to medical personnel while the telemedicine unit is incorporated 
with the Interface Control Unit (ICU) in-house telemetry system. 


637 











e Provide the hardware and software foundations to produce full lab- 
oratory biochemical analysis in 
e Outdoors and areas of special interest e.g. the subway. 


Data transmission is performed through or TETRA mobile networks, 
through satellite links or normal telephony, ISDN, xDSL, LAN and WLAN in 
the local loop. Due to the need of storing and archiving of all data interchanged 
during the telemedicine sessions, the consultation site is equipped with a mul- 
timedia database able to store and manage the data collected by the system. 
Figure 4 addresses the system functionality. A basic functional part of this sys- 
tem is the emergency mobile access gateway. The other major components of 
the system are discussed briefly below in order to show the integrated nature 
of the system which may not be of great interest to non —technical people. 


4.1 Emergency mobile access gateway 


The architecture proposed allows for simultaneous end-user terminal opera- 
tion. The system is composed of the primary unit, which behaves as an access 
gateway, and a group of secondary devices that collect electrophysiological si- 
gnals, transmit video, produce biochemical and gas analysis. The access gate- 
way connects to a 2 Mbps satellite modem giving real time video streaming in 
the uplink and the downlink in addition to and biological signals monitoring. 
Figure 6 shows how the proposed satellite implementation achieves large-scale 
integration covering wide geographical rural environments that aren’t covered 
from the present implementation. The server which is embedded in the Emer- 
gency-112 primary unit generate multiple port connections in order to broad- 
cast parallel videos, vital biological signals as well as additional information 
to different stations based on the classification given by the E-112 primary me- 
dical crew. The two Megabits per second satellite link provides the physical 
over the air (OTA) interface that connects the primary unit to the remote ad- 
ministration host. 

Figure 7 simulates an underground indoors environment, such as the 
metro subway in which groups of patients that are spaced apart but in relatively 
short distances create a WLAN regardless the terrain, the technology infra- 
structure or the line of sight. Broadband access in the local loop is achieved 
through the wireless Ethernet backbone where multiple users connect using 
the 802.11b/g standard. The E-112 primary unit requires an RJ-45 fast Ether- 
net plug to be installed in the areas of great concern e.g. departure platforms, 
the escalators and the exit. This contributes towards the generation of wireless 
“hotspots” and “hot areas” that provide broadband local access. A scenario like 
this is not far from reality; assuming a gas attack in the lower levels of the sta- 


638 








tion; the primary component is plugged directly to the Ethernet switch and the 
personnel that carry the secondary Emergency device navigates in areas of 
high injury concentration. A mobile computer with a “ specific bio-agent” de- 
tector scans the area for large-scale aerosol attacks and reports back to the se- 
rver . 

Two different user profiles are created, the administrator access gate- 
way user and the user that transmits data on the fly to the server. Multiple trans- 
missions can have multiple receivers due to the TCP/IP stack that takes over 
the procedure. The E-112 server performs all network related tasks, that is IP 
filtering, store and forward, routing, initiation and termination procedures, user 
access rights and gateway switch over selection. 


4.2 Incident classification and priority allocation 


End-users in the secondary unit provides information about the injury in order 
the ambulance crew to rate the severity of the emergency. Heavy injured pa- 
tients will be classified differently and they will be given the highest priority 
for guaranteed data transmission. Active directories generate end-user profiles 
so that a full record is maintained during and after the telemedicine treatment. 
An intelligent technique allows End users to generate alarms in case the pa- 
tient’s condition gets serious. Different levels of alarms update in regular inte- 
rvals a database that maintains the patient’s medical record. Remote physicians 
will log on to the primary Emergency system server and a “push-pull” service 
will upload the patients profile through a secure multilevel strongly encrypted 
Virtual Private Network(VPN)connection. Secondary users are given ban- 
dwidth based on the severity of the injury. An intelligent bandwidth allocation 
routine running in the primary server, process parallel video transmissions and 
alters the bit rate respectively. 


4.3 Video transmission 


Live video streaming can use specialized protocols to compensate delays in 
live video transmission or transmit video over Internet Protocol/ Transmission 
Control Protocol (IP/TCP) in store and forward mode for guaranteed delivery. 
If the primary crew decides that short video clips must be recorded from an in- 
jured patient although the emergency is given medium priority the server sto- 
res the videos in the hard drive. When the highest priority emergency is cleared 
then stored video transmission begins if there is remote request. 


4.4 Picture quality and Bandwidth allocation 


Video transmission dissipates most of the system bandwidth; therefore band- 
width saving countermeasures must be developed. The obvious solution is to 


639 














prohibit parallel video transmissions. To undertake this problem the E-112 
server degrades, in real-time, the video picture quality within predetermined 
limits so that region of interests can be clearly retrieved in remote locations. 
This technique minimizes video bandwidth consumption allowing for addi- 
tional video streaming. 


4.5 Access network switchover 


One of the system’s novelties is the capability to monitor the frequency spec- 
trum for active telecommunication infrastructures. The system regularly scans 
for active wireless access nodes, if a node is spotted then alerts the server ad- 
ministrator. When the signal becomes strong enough to succeed the minimum 
signal to noise ratio then a second alert is generated and informs the user that 
a connection can be achieved. The administrator either activates the line or dis- 
cards the message however if more than one networks are available the ad- 
ministrator decides which of these networks are most suitable to use. Network 
selection depends upon the emergency status, if there is a life threatening in- 
jury the system decides to activate the satellite modem. If the patient’s condi- 
tion is serious but not critical then terrestrial telecommunication networks are 
chosen. The level of the emergency denotes the network that is best preferred. 
The best solution is the most cost effective option in terms of bandwidth avail- 
ability and tariff charges. 


5. Technology convergence and contribution 


E-112 is a hybrid system capable of compensating difficulties regardless the 
geographical location. The system converges existing technologies delivering 
modular and robust medical services to mobile users in remote locations. The 
system provides increased immunity against physical and human interactions. 
The E-112 is a multi operational platform that can be used for medical sup- 
port, for rescue, surveillance and defense applications such as Anthrax smoke 
detection and spays monitoring for aerosolised airborne bacterial spores . The 
system in a later stage will be enhanced with a low power MAC control pro- 
tocol providing wireless medical multisensor monitoring for wearable prod- 
ucts. 

The E-112 provides the hardware infrastructure to connect to every ava- 
ilable public access network and if needed to government TETRA networks 
(Police and Fire department). The system works in stand-alone operation or as 
integral part of a greater turnkey solution. The modular implementation and 
the technology architecture allows the E-112 unit to operate in 24/7 basis and/or 
for redundancy purposes during life threatening conditions. 


640 








Notes 


1. http://ec.europa.ew/archives/ISPO/legal/en/comerime/sieber.htm] 

2, The results in:Council of Europe , Computer related Crime, Strasbourg, 1990. 

3. Scherpenzeel (ed.), Computerization of Criminal Justice Information Systems, The 
Hague 1992. 

4. Sieber(ed.) Information Technology Crime-National Legislation and International Ini- 
tiatives, Kologne 1994. 

5. For the text of the convention see in: http://conventions.coe.int/Treaty/EN/Treaties/ 
Html/185.htm 








References 


[1] Stavroulakis, P Editor, Communiction and Information Security, Special Issue ,CHINA 
COMMUNICATION, February 2007. 


[2] Stavroulakis, P Terrestrial Trunked Radio- TETRA, A global Security Tool, Springer, 
2007 


[3] Damon Reed, Applying the OSI Seven Layer Network Model to Information Security. 
Sans Institute, Nov. 2003. 


[4]Adam Burns, Legal Aspects of Open Public Networks, Network Commons. 
[5] Kar 
ygiannis, Tom et.al, Wireless Netwoek Security, NIST,November 2002 


[6] Kun. L, et.al, “Homeland Security: The Possible, Probable, and Perils of Information 
Technology”, Engineering in Medicine & Biology magazine, IEEE, Vol 21, pp28-33, 2002 
[7] Kun, L et.al, “Information Infrastructure Tools for Bioterrorism Preparedness”, Engi- 
neering in Medicine & Biology magazine, IEEE, Vol 21, pp69-85, 2002 

[8] Kikuchi, M. et.al, “Biomedical Engineering’s Contribution to Defending the Home- 
land”, Engineering in Medicine & Biology magazine, IEEE, Vol 23, pp175-186, 2004 

[9] E. Kyriacou, et.al, “Multi-purpose HealthCare Telemedicine System with mobile com- 
munication link support”, http://www.biomedical-engineering-online.com/content/2/1/7 
[10] Elizabeth A. Bretz, “9/11 One year later”, Spectrum magazine, IEEE, Vol 39, pp38, 
2002 

[11] A. Georgoulis et.al. “RESHEN, a best practice approach for secure healthcare net- 
works in Europe” Advanced Health Telematics and Telemedicine (IOS) Textbook, Vol. 96 
[12]Luxminarayan , S,“Combating bioterrorism with bioengineering, Engineering in Me- 
dicine & Biology magazine, IEEE, Vol 21, pp21-27, 2002 

[13]Lamprinos, E, I.“A Low Power Medium Access Control Protocol for Wireless Medical 
Sensor Networks” Proceedings of the 26 IEEE EMBS conference, San Francisco, USA 
(2004) 


641 








Appendices 
Figure 1. OSI Model 






J APPLICATIONS 
LAYER 


Worms, Viruses 


Bo EIST, 


’ SESSION/PRESENTATION % 













LAYERS ADMINISTRATION 
BaN “RPC and NetBIOS aac CAPABILITIES 


NETWORK/TRANSPORT 
LAYERS 
Unauthorized Access. Endpoint Identity Theft. SYN Flood 





DATA LAYER 
ARPspoofing. MAC Flooding, Spanning Tree Attack 


PHYSICAL LAYER 
inadequate Power, Unfettered Access, Open Wall Ports. Floods 





Figure 2 OSI security model 












Presentation 


Session 


Access Control 
Data integri 
Assurance 





Physical Layer 


642 





Table 1. Mapping of security goals onto security threats 


Security Goals Security Threats 
Eaves- Traffic Authorization 
emo fee Ef 


[confidentiaity | x | 
[authentication | 
[Acess conor | | 
megis | 
at 
Z 



















Availabili 


Figure 3 TETRA Based Secure CBRN System 


TETRA BASED SECURE CBRN SYSTEM 


Satellite 
















scat 
a 
S coe T oss pz 
c " fap | 
Terrorism ` 
O pen-standad tol 10P 
R gdin | 
T echooloay E 
pam: pee l Routing using chaotic 
H ES encryption techniques 
aa HEN: N z 
J. SM/UNTS : 
A CBRN 
Biometrics Ne 





Telemedicine 


Chemical biological Radioactive Nuclear 


643 

















Figure 4: Overview of the Emergency Telemedicine System function 


Support-Emergency Health Patient Monitoring 
Care 


Telemedicine unit 


N Hospital C 
Information Fem, 
Network” 


Base Unit 
Hospital Consultation 
center) 





Figure 5: Broadband multi-gateway formulation 





644 








Figure 6: Broadband access in the local loop 





645 

















Research on Lawful Interception in Information Society 
from a Comparative Law Perspective 


Ma Hairong & Ma Minhu 


Abstract. Lawful interception, as a measure of criminal detec- 
tion, has a very long history in every country. Along with the rapid de- 
velopment of information technologies and the global prevalence of the 
internet, networks has already become a new type of crime tool, crime 
locale and crime target. Internet lawful interception is an effective me- 
asure to prevent and fight against the internet crime. However, the 
“clash” between technology and the law often represents that the exi- 
sting theory of law and its practice cannot solve new problems brought 
by new technologies. Therefore, how to apply lawful interception thro- 
ugh networks and broadband, and how to balance between the public 
interest and the individual privacy is a big question of Chinese legal aca- 
demia. Based upon this situation, the research on the legislative status, 
basic content and technology standards of the lawful interception in 
other countries can provide valuable experience for China and its lega- 
lization of lawful interception. 


Keywords. lawful interception; law enforcement assistance; technology standards 
Biographical Notes: Ma Hairong is taking her Masters degreee in Law , Major studies 
on Information Security Law at Xi’an Jiaotong University. 


1. Introduction 


In the middle of the last century, the rapid development and wide application 
of electronic communication technology made criminals highly dependent on 
modern communication technology to commit crimes in an unnoticeable way. 
In order to adapt this new crime trend, criminal detection measures have had 
to evolve and become perfect; this is also the golden rule for the develop- 
ment of criminal detection. In this aspect, the appearance of highly unnotice- 
able interception measures with high technologies in judicial practice and its 
approval in legislation is inevitable. Based on this situation, a number of co- 
untries makes the interception allowable on the one hand, and on the other 
hand they regulate this detective measure by legislation to avoid its abuse with 
the view of the protection of civil rights. For China, its legislation of intercep- 
tion should not only learn from the successful experience relating to lawful in- 
terception from other countries, but should also base it on its own national 
situation and summarize the existing legislative experience as well. 


647 











2. The Legislative Situation of Lawful Interception in Other 
Countries 


Lawful interception refers to a secret detective measure which collects evi- 
dence, finds out crime facts, and intercepts and records the electronic com- 
munication by telecommunication technology. Its procedure can be applied by 
investigatory authorities, with assistance from the telecommunication provi- 
der if necessary. For the object being intercepted, this detective process is se- 
cret; for telecommunication service providers, a certain degree of 
confidentiality should be provided (Philip A. Branch 2003). In various legal 
systems of the world dealing with lawful interception, most countries hold a 
positive attitude towards the application of lawful interception on criminal de- 
tection from legislative and practical perspectives; so the validity of intercep- 
tion is undoubted. However, the comprehension of the scope of its application, 
the necessary condition, the control of procedure, the internal protection me- 
asures, the external supervisory mechanism and the application of the obta- 
ined evidence varies by each country in terms of theory, legislation and 
practice. 

The U.S is the earliest country to implement the legislation of lawful in- 
terception. In 1934, aiming at the abuse of interception, the U.S Congress enac- 
ted Communications Act of 1934. Along with the rise of human rights 
movement in 1960s, a strong social dissatisfaction with the breach of citizen 
privacy was aroused by the abuse of interception; thus 
the Omnibus Crime Control and Safe Street Act was constituted by the U.S 
Congress in 1968. In its chapter 119 Wire and Electronic Communications In- 
terception and Interception of Oral Communication, detective authorities are 
clearly entitled to use communication interception in certain crime detections. 

The U.K. has also a long history of the communication interception . 
Lawful interception started as early as 200 years ago. Nevertheless, the U.K. 
Parliament had not passed the specialized law with regard to communication 
interception until 1985- i.e. the Interception of Communications 1985. Later, 
the Regulation of Investigatory Powers Act was enacted in 2000, as the frequ- 
ent human rights violations in judicial practice. 

In France, lawful interception was prescribed by the government in the 
Code of Criminal Procedure in 1991, and Article 100 with seven subclauses es- 
tablished the French interception legal system. 

In Germany, the regulation of communication interception is originated 
from basic law and criminal procedure law. The meaning of communication in- 
terception is very broad including letter checks, wire telephone communica- 
tions, mails, interception of electronic communications, electronic supervision 
and other communication record. 


648 








Therefore, there are two main models ( Lijun Deng) of lawful intercep- 
tion in other countries: the first model is the decentralized legislation which 
means certain legal questions relating to interceptions are explained by certain 
sections or articles of criminal procedure law, or other relative laws or regula- 
tions, and this is mainly adopted by countries with continent law like Germany 
and France; the second model is the centralized legislation which means a spe- 
cialized law is made only for interception, this is more common in the coun- 
tries adopting Anglo-American legal system like the U.S, the U.K. and Japan. 


3. Comments on Legal Systems of Interception in Other Co- 
untries 


The continuous development of network technology in information society is the ulti- 
mate reason for each country to promote the legislation of interception ceaselessly. 


In the modern detection, advanced technologies like telephone tapping and 
electronic monitoring device used for simultaneous monitoring are adopted 
widely for lawful interception. The monitored object not only contains natural 
conversation (face-to-face talk), but also covers the talk connected through any 
communication measures including telephone, telex and network communi- 
cations, and electronic communication is the most important one among them. 

For instance, the Interception of Communications 1985 was enacted by 
the U.K in 1985. Under this law, only the government can intercept the mes- 
sage transmitted by postal system or public telecommunication system. Ho- 
wever, the development of telecommunication technology and the U.K. 
national reform of telecommunication industry made mobile phones and in- 
ternet communication become prevalent, and a large number of private enter- 
prises started to operate telecommunication networks, and provide package 
and mail special delivery services. All these new communication measures are 
beyond the scope of Interception of Communications 1985, which led frequ- 
ent human rights violations in judicial practice. Thus, the Regulation of Inve- 
stigatory Powers Act was enacted on the basis of Interception of 
Communications 1985 in 2000, and its scope was enlarged to cover private te- 
lecommunication networks including mobile phones, pagers and electronic in- 
formation transmitted via computer networks. 

As for the U.S, its Communications Act of 1934 made by the U.S Con- 
gress restricts only wire telephone communications. It is not applicable to the 
telephone conversation agreed by one party in the communication. With a view 
to development needs, the U.S Congress enacted the Omnibus Crime Con- 
trol and Safe Street Act in 1968. This Act restricts certain types of communi- 
cation interception including wire telephone conversation and oral 


649 








conversation, but digital wire communications, email, telex, wavelet commu- 
nications and fiber-optic communications are excluded. Later, they were inc- 
luded after the amendment to the Act by the U.S Congress in 1986. After 9/11, 
the Patriot Act was passed on October 2001. Some network crimes like com- 
puter fraud and terrorist crimes, like crime committed through chemical we- 
apons, were added into this Act. Aiming at the crimes mentioned as above, 
investigatory personnel and law enforcement personnel can intercept the in- 
formation transmitted by the invaders in the protected computer systems wi- 
thout the order from judge’s order. In this context, the protected computer 
systems mean the computers used for intercontinental or international busi- 
ness and communication, and the computer system used by the Federal Go- 
vernment and financial organs. Furthermore, under the associated request of the 
Department of Justice, the Federal Bureau of Investigation and the Drug En- 
forcement Administration, after 2004, FCC continuously released the First Re- 
port and Order and the Second Report and Order of Communications 
Assistance for Law Enforcement Act in order to make broadband and VOIP ap- 
plicable to lawful interception. 


Regarding the purpose of legislation, the law on electronic monitoring in all countries 
stresses the balance between checking criminality and guaranteeing human right. 


The primary concern of an interception law should be a balance between 
individual and public rights. As a basic human right in the modern society, 
privacy must be respected by any law. The law principle for electronic 
monitoring is the soul of laws dealing with this conflict in that it seeks to 
protect the privacy of the individual monitored to the largest possible extent by 
weighing the rights of both, and by stipulating rigorous terms regarding the 
conditions and procedure of interception in the aim of preventing the abuse of 
power by the investigating department. This principle is called Proportion, 
which dictates that the limitation of a citizen’s right by an administrative 
authority must be exercised within the frame of law and, meanwhile, be as 
least as possible. 

Proportion requires that interception of electronic information should 
be for the purpose of ensuring state security and interest, preventing and 
detecting grave crimes and maintaining social stability, and any intervention 
that deviates from this purpose is illegal. The principle also demands certain ` 
conditions and procedural steps for interception so that an approval procedure 
must be strictly followed to validate an interception, and that nobody is allowed 
to intervene without permission. 

Foreign laws on electronic interception all include terms which permit 
the action in cases of felonies. For example, in Germany, the Code of Crimi- 


650 








nal Procedure limits its application action to five types of criminal activities, 
including those of a political or military nature, top felonies, drug dealing, 
organized criminalities, and those defined by particular procedural laws 
regarding foreigners and refugees. In addition, the laws of other countries have 
also made detailed specifications concerning the approval procedure of writs. 


The interception law attaches increasing importance to the assistance obligation of 
telecommunication providers. 


As networks and technologies develop fast, the global society faces various 
security and crime threats. In this sense, the intensification of network moni- 
toring capability and interception technologies has already obtained the atten- 
tion of many countries. Moreover, the complex and diversified situation of 
electronic communication technologies and its application needs telecommu- 
nication providers and equipment manufacturers provide necessary technology 
assistance to law enforcement agencies with a view of effective implement of 
interception. 

Based on this situation, the U.K., Australia, the U.S and the EU have al- 
ready made corresponding legislations to require private enterprises to assist 
law enforcement agencies in order to enhance the detective ability of investi- 
gatory authorities, for instance, network service providers provide effective 
monitoring services. 

In the U.S, the Communications Assistance for Law Enforcement Act 
made by the Congress on October 1994 ensures the lawful interception capa- 
bility of law enforcement agencies to be adaptive for the quick development of 
telecommunication technology. The specific realization of this purpose is to 
require communication industry and manufacturers to design and modify their 
equipments, devices and services for the agencies. According to the Act, in the 
construction of infrastructures, all telecommunication enterprises are under an 
obligation to prepare necessary equipment “channel” for the interception of 
communications so that relative law enforcement agencies can intercept any 
communications with the formal approval of court. 

This Act influences Canada greatly. Canada made similar laws dealing 
with the same problems for the nation and enterprises. The U.K. also passed the 
British Regulation of Investigatory Powers Act 1 on July 2000. This Act requ- 
ires public information providers to maintain a reasonable level of intercept 
capacity, particularly under the entitlement of Council Ministers. As for Ger- 
many, the Telecommunications Interception Ordinance (TKUV) was passed 
on January 2002. It clearly requires that only public telecommunication pro- 
viders under an obligation to intercept. To sum up, from a legislative perspec- 
tive at world level, the assistance for law enforcement is obligatory, and it is 


651 














in fact a compulsory request to satisfy the need of legal assistance. As for the 
compensation occurring during this process, German law prescribes that tele- 
communication providers afford it by themselves, whereas American law pre- 
scribes that appropriate compensation would be made for providers. 


The force ad effect of technology standards has been gradually recognized during the 
implementation process of interception law. 


The interception of electronic information is based upon telecommunication 
network system, and its major measure is technology. To follow technology 
standards is hereby an obvious character of international interception laws. 
Consequently, how to balance them is always the focus of legal academia. For 
instance, in the German Telecommunications Interception Ordinance, lawful 
interception standard is called technical command, which in fact implies that 
this standard has a legal adeffect. From this, it is clearly to observe that tech- 
nology standards is of great importance for law, and without proper and con- 
sistent standards, lawful interception can hardly be realized, as they are the 
base of its implementation. There are also various types of standards. From the 
perspective of compulsory implementation of technology standards, there are 
obligatory criterions and steering criterions; from the analysis of the nature of 
lawful interception, the relative technology standards should belong to obli- 
gatory criterions, because lawful interception is closely involved with national 
interest and social stability, and personal data privacy. 

The technology standard adopted by the EU and its member states and 
most Asian countries is made by the European Telecommunications Standards 
Institute. The Institute established an independent Technical Committee Law- 
ful Interception to constitute technology standards in particular on October 
2002, and its aim is to make lawful interception more convenient and econo- 
mical in order to adapt corresponding international and European regulations 
and legislative requirements. The technology standard released by the Com- 
mittee in various fields of telecommunication services (ETSI TS 101 331:Law- 
ful Interception (LI);Requirements of Law Enforcement Agencies”. ETSI ES 
201 671: “Telecommunications security; Lawful Interception (LI); Handover 
interface for the lawful interception of telecommunications traffic”. ETSI TS 
102 232: “Telecommunications security; Lawful Interception (LI); Handover 
Specification for IP Delivery”. etc..) prescribes in detail that which network 
should be chosen for interception, how to implement interception, and what 
kind of data format should be used to transmit intercepted information from one 
side to interception equipment. 

In the U.S., according to CALEA, the standard J-STD-025 was develo- 
ped by TIA with the support of FCC. It defines necessary conditions provided 


652 








by servers, fixed network technologies, cellular technologies, and broadband 
and individual communication service providers so as to support lawful inter- 
ception. It also regulates the interface of intercepted information and call iden- 
tifying information in detail. Moreover, the standard J-STD-025 includes 
standards of some grouping models for communication capacity (content only) 
and location information requirements. Later, this standard was modified as 
the standard J-STD-025-A, which was released on May 2000 and became na- 
tional standard for the U.S on 16th April, 2003. 


4. Lessons form Lawful Interception System of Other Coun- 
tries for China 


Everything can only be differentiated through mutual comparison, and deve- 
lopment and progress can only be obtained through mutual interaction, so does 
the legal system construction. Only under the prerequisite of understanding 
the current legislative status of lawful interception and its defects in China, 
will the legislative proposals appropriate to national situation be offered by ab- 
sorbing valuable experience of other countries. 


4.1 The Current Legislative Status of Lawful Interception and its 
Defects in China 


In China, lawful interception had been regarded as a secret for quite a long 
time, and legislative authorities adopted an evasive attitude towards it on pur- 
pose. There were also no provisions relating to interception in the Constitu- 
tion and criminal laws. The main legal basis for lawful interception is the State 
Security Law of the People’s Republic of China issued in 1993 and People’s 
Police Law of the People’s Republic of China issued in 1995. 

According to article 10 of the State Security Law, “Where the reconna- 
issance of an act endangering State security requires, a State security organ 
may, in accordance with the relevant provisions of the State and after going 
through strict approval procedures, employ technological means of reconnais- 
sance”. Hereby the state security organs can adopt lawful interception. Article 
16 of People’s Police Law also prescribes that “as necessitated by investigation 
of a crime, public security organs may, in accordance with relevant regulations 
of the State, take technical reconnaissance measures after strictly following 
approval formalities”. According to this article, these “technical reconnais- 
sance measures” in fact can include lawful interception, telephone tapping, 
electronic monitoring, secret picturing or video-recording, secret evidence col- 
lection, and letter checks. 

Nevertheless, the scope of the State Security Law is quite limited. It is 


653 








only applicable to the crime relating to the national security. There is still no 
provision for the interception of general crimes. In the factual judicial prac- 
tice, detective authorities like police department and prosecution organ often 
implement interception on the basis of internal documents made by the Mini- 
stry of Public Security (e.g., ordinances and regulations enacted and distribu- 
ted by the Ministry of Public Security). This status in quo obviously violates 
the value and principle of modern criminal procedure. 

In order to improve this situation, certain comparatively specific regu- 
lations relating to lawful interception were gradually released. In 2000, the Te- 
lecommunications Regulations of the People’s Republic of China was issued 
by the State Council, which enacted fundamental provisions for the content 
check of telecommunication. At the same year, Measures on the Administra- 
tion of Internet Information Services was released by the State Council, which 
enacted fundamental provisions for the storage of data of service providers. 
On 23" December, 2005, Provisions on the Technical Measures for the Pro- 
tection of the Security of the Internet (Decree No. 82) was released by the Mi- 
nistry of Public Security, which requires Internet service providers and network 
users (non-individuals) to carry out technical measures for Internet protection 
and ensure the effectiveness of these measures. 

Although China has certain specific provisions for lawful interception to 
maintain national security and social stability, and protect civil rights, there 
are still evident defects being observed in terms of legal culture and informa- 
tion security. 

First of all, lawful interception fails to follow the principle of legal pro- 
cedure. Detective behaviours should have the authorization clearly entitled by 
law particularly relating to the compulsory measures violating basic civil rights. 
For instance, the State Security Law only restricts crimes relating to national 
security and social security; the People’s Police Law is an internal organiza- 
tional law, which only coordinates and regulates the professional behaviour of 
personnel of public security organs. Thus, they cannot be used as a direct legal 
basis for lawful interception. Moreover, China lacks provisions relating to in- 
tercepted person, condition and procedure of lawful interception, let alone the 
provision involving the compensation for the intercepted person. Therefore, 
citizens’ privacy rights and rights to free communication have a possibility to 
be breached in the absence of legal procedure of interception. 

Second, there is no law, administration regulations and department rules 
relating to the assistance obligation provided by telecommunication service 
providers and technical standards which is the most important part of lawful in- 
terception. The special technical standards of lawful interception can ensure 
the amalgamation of telecommunication infrastructures, the interconnection 


654 








of telecommunication networks and compatibleness of terminal equipments. 
All these elements are the basis of lawful interception. 

Thirdly, from the perspective of balance of power, the existing laws and 
regulations may cause the abuse of rights, because both determinate right and 
executive right is held by public security organs and the state security organ, 
which is completely different from provisions relating to lawful interception in 
other countries. Thus, the principle of coordinated cooperation and mutual re- 
striction of legislative authorities, law enforcement agencies and telecommu- 
nication service providers must be represented in the process of lawful 
interception, which is the precondition for human rights protection and main- 
tenance of validity of interception. 


4.2 Some Advices on the Legislation of interception for China 


The legislation of interception in every country has continuously improved and 
coordinated, and China is no exception. Thus the nomocracy of interception in 
China should be promoted vigorously by absorbing valuable legislative expe- 
rience from abroad. Based upon this principle and the status in quo of lawful 
interception, the author believes that the mode of decentralized legislation is 
more appropriate to be adopted in China. At present, the amendment of Code 
of Criminal Procedure is ongoing, which is a good opportunity for correspon- 
ding authorities to establish provisions particularly for interception. This is 
more feasible to realize the nomocracy of interception. 

The modern nomocracy principle requires that state organs can only 
apply the right entitled by law (Wan L. Guan 1999). Therefore, lawful inter- 
ception can be not only provided with legal basis for law enforcement agencies, 
but also contro tively by law through the legalization of interception which is 
helpful to reduce the chance of rights abuse occurring in interception and pro- 
tect citizens’ privacy rights. 

In order to accelerate the legalization of interception, the author belie- 
ves that the following problems may be solved in the amendment of Code of 
Criminal Procedure: 


(1) The Clear Identification of Telecommunication Service Providers 
In the aspect of judicial practice from abroad, lawful interception mainly aims 
at the interception of information relating to identification recognition. Usually 
the specific content is not included. For instance, American law prescribes that 
only services in accordance with transmission and exchange belong to the 
scope of CALEA. 

According to this fundamental principle, all information service provi- 
ders doing business of transmission and exchange in China should perform as- 


655 








sistance obligation for law enforcement. For example, once higher education 
network operators connect to the Internet, they have transmission and exchange 
activities, so they belong to the scope of Code of Criminal Procedure. Mail se- 
rvice provider is another example. Although mails are stored in the mailing 
process, this service is obviously a transmission and exchange service, thus it 
should be included in the Code of Criminal Procedure, too. 


(2) The Clear Definition of Assistance Obligation for Law Enforcement 

Most countries and areas have reached a common ground on law enforcement 
assistance at the moment, but the specific content of assistance obligation va- 
ries. After receiving the order, telecommunication service providers shall 
launch the interception. During the whole process, the providers must inter- 
cept all information relating to the intercepted target. They not only undertake 
confidentiality obligations, but also have to protect citizens’ privacy. With a 
view to free choice of choosing business and protection of legal property rights, 
the providers could not have performed assistance obligation. In this sense, the 
Jaw should respect them and protect their rights. Furthermore, provisions for 
compensation should also be considered. The relative organs should compen- 
sate service providers for the necessary expense occurring during the process 
of assistance. Nonetheless, different countries and areas hold a different atti- 
tude towards it. For instance, German law has no relative provisions with re- 
gard to the government obligation for compensation, so telecommunication 
service providers have to afford the expense caused in the law enforcement as- 
sistance. CALEA constituted by the U.S. is an opposite example. From 1995 
to 1998, the U.S. government had appropriated $500 million (Communications 
Assistance for Law Enforcement Act of 1994) for equipment change by tele- 
communication service providers. China can consider American legislation for 
reference, but its effectiveness should be further assessed under actual condi- 
tions of China. 


(3) The Definitude of Writ and Time Limit of Lawful Interception 

According to China’s existing law, the applicant for interception order can be 
detective authorities including police organs, state security organs, procurato- 
rates, custom organs relating to suppression of smuggling and security sec- 
tions of the army. All the application for interception order must follow the 
legal procedure and be assessed strictly. However, which organs can accept 
these applications is a question. Most countries prescribe that only the court has 
a right to approve interception order, but China has a different situation. Ac- 
cording to the Code of Criminal Procedure, the People’s Court, the People’s 
Procuratorate and public security organs (including security organs) are enti- 


656 








tled to collect and transfer evidences from relative institutions, enterprises and 
individuals. At present, procuratorates are supervisory organs and entitled to 
detect and monitor according to the law, so generally they have a similar re- 
sponsibility with courts in other countries like the approval of arrestment. 
Based upon this situation, it is feasible for procuratorates to be entitled to ap- 
prove interception order in judicial practice. 

As for the time limit of lawful interception, there are various provisions 
in the world. For example, the time limit in France is three months, and it is 
four months in German. In China, according to the Code of Criminal Proce- 
dure, the detection of general criminal cases should be finished within two 
months after arrestment, so the time limit of lawful interception should also 
be two months. 


(4) Legal Compensation for Improper Interception 

As improper interception may violate the right and interest of intercepted pe- 
ople, a certain level of compensation must be made for him. According to the 
factual situation in China, intercepted people is entitled to certain rights for 
improper interception. For example, the right to judicial appraisal can be ap- 
plied by intercepted people when different view of intercepted information exi- 
sts (e.g. check on sealed materials). With a view of privacy protection, the 
intercepted person can also request relative organs to destroy intercepted in- 
formation which would not be used anymore. 


5. Conclusion 


In the process of prevention and fight against network crime, lawful intercep- 
tion of email and the Internet indeed raise the issue of how to balance between 
public interest and the individual privacy. It is a fact that there is no perfect 
man or thing or system exist in the world; so does the lawful interception sys- 
tem. However, with a view of public interest and Internet security and peace, 
it is still necessary to intercept email and the Internet which is also the basis and 
prerequisite for the normal operation of the Internet. There are many defects 
and lacunaes in the legislation of interception in China. Accordingly, China 
should attach much importance to the security risk brought by highly develo- 
ped electronic communication in terms of national security, and absorb valu- 
able legislative experience to accept this challenge. 


657 








References 


1) 


2) 


3) 
4) 
5) 
6) 
7) 
8) 
9) 


10) 


11) 


12) 


13) 
14) 
15) 


16) 


ETSI TS 101 331: Lawful Interception (LI); Requirements of Law Enforcement 
Agencies”. 

Lawful Interception of the Internet, Philip A. Branch, Centre for Advanced Internet 
Architectures. Technical Report 030606A Swinburne University of Technology Mel- 
bourne, Australia 

Higher Education CALEA Panel Update UCo-Sponsored by University of Chicago, 
Northwestern Higher Education University and Cisco Systems, March 15 2006. 
Communications Assistance for Law Enforcement Act of 1994, Pub.L.No.103- 
414,108 Stat.4279 

First Report and Order and Memorandum Opinion, Federal Communications Com- 
mission, August 2005 

Second Report and Order and Memorandum Opinion and Order, Federal Communi- 
cations Commission, Washinton, D.C. 20554 May 12, 2006 

Ordinance concerning the Technical and Organisational Implementation of Measures 
for the Interception of Telecommunications, GERMAN, November 3, 2005 

MA Min-hu, HE Xiao-na. Legal Foundation and Legislation Solution for Network In- 
formation Security Emergency in China. Netinfo Security, 2004, No.1. 

MA Min-hu. Research on Information Security Law, People Press of Shaanxi,2004, 
at p.201. 

Xu D., Meng, Juan W, and Hai. T, Implementation of LI (Legal Interception) in Mo- 
bile Communication [J]Supported by the Science & Technology Fund of Huawei 
Lt., February 2004. 

Guo M., Yang, and Xu D. Meng, The Technology of Legal Interception on Intelli- 
gent Network [J], Supported by the Science & Technology Fund of Huawei Lt., March 
2004. 

Guo M., Yang, and Xu D. Meng, Technologies of Lawful Interception on Intelligent 
Network [J], Supported by the Science & Technology Fund of Huawei Lt. 
(YJCB2003023SW), December 2004. 

Wan L., Guan, “The Discussion of Detection Measure Legislation Consummation[J 
]’, vol. 4, in Detection, 1999. 

Xue X., Huang, “Study on the Principle of Proportionality of Administration Law 
[J],” vol.1, in Science of Law, 2001. 

The Code of Criminal Procedure in Germany [M], “Preface,” translated by Chang K. 
Li . Beijing: Chinese Politics and Law University Press, 1995. 

Li J. Deng, “The Evolution and Development of Judicial Monitor in Germany,” vol. 
6, in Journal of Guangdong University of Business Studies, 2006. 


658 








Copyright, Censorship and Privacy: Is Cyberspace Over 
Crowded? 


Tang Guan Hong 
University of Edinburgh 


“Cyberspace matrix was actually a drastic simplification of the human sensorium...” 
- William Gibson - 


Abstract, Cyberspace raises new questions about the effective- 
ness of the Chinese legislation even as Chinese legislators and legal 
pundits are drafting and enacting various regulations to keep up with the 
rapid development of technology. Among the core issues problematised 
by Internet technology concern copyright, censorship and piracy. This 
paper will introduce and examine the related issues and laws, in the Pe- 
ople’s Republic of China, and will demonstrate the developments, the 
differences and the prospects with the intention of perfecting the Chinese 
law in aspects of copyright, piracy and censorship. l 


Keywords: Internet, Copyright, Censorship and Privacy. 


1. The Internet in China 


The Internet, in the West, was researched in the 1960s, developed in the 1980s 
and well used in the 1990s. It was not introduced to the People’s Republic of 
China (China) until the 1990s, but have been developed rapidly ever since. 


1.1. The development of the internet in China 


The first Chinese public data network, China Academic Network (CAN), was 
formed in 1986, which was assisted by Professor Werner Zorn and the Uni- 
versity of Karlsruhe (UoK) in Germany and involved a group of researchers at 
the Institute of Computing Applications (ICA). A year later, the Institute of 
High Energy Physics (IHEP) in Beijing connected to the Conseil Européen 
pour la Recherche Nucléaire (CERN) in Geneva. Meanwhile, the CAN estab- 
lished its first international link when a Siemens 7,760/ BS2000 computer at 
the ICA connected to the UoK via a 300 bits per second packet-switched data 
network. [1] On 20 September 1987, one of ICA’s researchers, Professor Wang 
Yunfeng, sent out the first ever email from China and the message was entitled 
“Across the Great Wall we can reach every corner in the world’, which is com- 


659 








monly known in China as “HUY KH , Ha 1 FL” [2] In November 1990, 
initiated by Wang Yunfeng, with Werner Zorn’s support and liaisoned by Pro- 
fessor Qian Tianbai, China registered the .cn international top level domain at 
the Defense Data Network Information Center (DDN-NIC), while the .cn do- 
main name server was hosted at the UoK since China then did not have its own 
direct Internet connection yet.[3] Qian Tianbai believed that the Internet would 
be extremely beneficial for not only academics, but also for everybody. He 
claimed that the “Internet would play a great part in Chinese people’s daily life 
in the near future” and was diligent to promote the Internet over the country.[4] 

Furthermore, a 64K dedicated circuit to the Stanford Linear Accelerator 
Center (SLAC) was opened officially on 2 March 1993. Built by the IHEP, the 
dedicated circuit was linked to the United States (US) through an international 
satellite communication channel rented from AT&T. But it was only allowed 
to connect to the American energy network, because the US government for- 
bade any socialist countries to access the Internet that contained plenty of sci- 
ence and technology information and other resources. [5] Nonetheless, it was 
still China’s first dedicated circuit partly accessing Internet.[6] 

On 15 May 1994, the IHEP set up China’s first web server and intro- 
duced the first set of web pages. Apart from brief introductions on the im- 
provements of high technology in China, a “Tour in China” section was 
included, which, renamed “Windows of China” later, providing a wider range 
of information on news, business, culture and trade. On 21 May 1994, Qian 
Tianbai led the Computer Network Information Center at CAS installed 
China’s top domain name servers. Thus, China was recognised as a country 
with the Internet.[7] 

Later in September, a Sino-American Internet agreement was signed be- 
tween China Telecom and the US Secretary of Commerce. As agreed, China 
Telecom opened two 64K dedicated circuits, respectively, in Beijing and 
Shanghai in January 1995 through the US Sprint Co.[8] On 8 August 1995, 
KRA, shui mu qing hua, BBS went live online and it is the first Internet- 
based BBS in China mainland.[9] 

The China Internet Network Information Center (CNNIC) is the state 
network information centre and was founded on 3 Jun 1997, and has been op- 
erated by the Ministry of Information Industry (MII) and Chinese Academy of 
Sciences (CAS). In November 1997, CNNIC issued its first Statistic Report 
on Internet Development in China, which stated that 299,000 computers were 
connected to the Internet and Internet users reached 620,000 by 31 October 
1997.[10] Nearly ten years later, according to CNNIC’s twentieth Statistic Re- 
port, 67.10 million computers were connected to the Internet and the total of 
Internet users reached 162 million by June 2007. It is now the second largest 


660 








Internet nation in the world. While 37.2% of Chinese Internet users surf online 
in Internet cafés and many Internet users have not possessed their own com- 
puters, 31.2% of them access Internet at work places and another 12.2% at 
schools.[11] Since many users do not posses their own computers and currently 
around 50 million people are surfing online in public venues, this brings about 
serious social and legal consideration 


1.2. The Chinese Internet in the western views 


Two institutions have to be mentioned when talking about the Internet in gen- 
eral, the OpenNet Initiative (ONI) and the Reporters without Borders (RSF). 

The ONI is a collaboration of Toronto, Harvard, Cambridge and Oxford, 
four international leading universities, that intends to “investigate, expose and 
analyse Internet filtering and surveillance practices in a credible and non-par- 
tisan fashion”.[12] ONI maintains the following categorisation schemes: per- 
vasive, substantial, nominal, indirect and watchlist, to indicate a country’s 
Internet filtering level. China is in the pervasive category because “China 
blocks access to numerous websites at the Internet backbone level for content 
related to human rights, opposition political movements, Taiwanese and Tibe- 
tan independence, and the Falun Gong movement. Some international news 
sources, such as the BBC, are also blocked”.[13] 

The latter, Reporters Sans Frontiéres, is a Paris-based international non- 
governmental organisation that advocates for “freedom of the press”. Curren- 
tly, it has national branches in all five continents and has consultant status at 
the United Nations. RSF holds an internet enemy list. China is on the list as its 
Internet model is “based on censorship and surveillance”.[14] Very recently, 
Robert Ménard, RSF’s Secretary-General issued an open letter asking the head 
of China Telecom to restore its service. He believes that the China Telecom 
has partially blocked Internet access in Guangdong Province and Shang Hai 
from the end of August on because of online comments or posts regarded as “il- 
legal” by the government.[15] 

Furthermore, running a simple search for “Internet” and “China” on Go- 
ogle, appeared about 393,000,000 results, which of the first 100, over 40% re- 
lated to censorship and the Chinese authorities’ control of information over the 
Internet.[16] Whereas Professor Lilian Edward, in her editorial, remarked on 
the decision of blocking access to all websites containing illegal images of 
child abuse in the United Kingdom (UK), she loudly raised the question: 
“today child porn; tomorrow, China?” [17] 

The Internet, in the West, was advocated as an independent world, and 
governments were asked to “leave it alone” because it did not lie within the bor- 
ders.[18] Certainly, governments did not leave Cyberspace alone since it is a 


661 











part of the real world. In the UK, for instance, a series of laws have been enac- 
ted since 1978, including rules on child abuse images, criminally obscene con- 
tent, incitement to racial hatred content and the liability of Internet Service 
Providers (ISP).[19] In addition, the Internet Watch Foundation and the Com- 
puter Crime Unit have been established to deal with Internet and computer re- 
lated crimes.[20] Still, laws and regulation are challenged, according to the 
Lords Science and Technology Committee’s report in August 2007, and the in- 
ternet “has increasingly become the playground for criminals” and 4 lawless 
“wild west”.[21] 

Because of the increase of IT related crimes, the governments have been 
urged to regulate the Internet including the legislation of censorship, to secure 
its healthy development. As will be introduced later, China has not framed cle- 
arly, to this date, the scope of its censorship with often makes it excessive; thus 
it has been much criticised by the West. Acknowledging that it is essential to 
denounce and combat disproportionate censorship and other laws, China still 
lacks the “rule of law” culture forged in the West for hundreds years. 


1.3. Chinese see the Internet in China 


Most Chinese users including scholars believe that the Internet is transforming 
China,[22] . They see the Internet as a technological revolution, as well as a 
boost to a more open, prosperous and democratic future China.[23] Qian Tian- 
bai foresaw that the Internet has made a great impact on Chinese people’s 
everyday life. They now learn online, shop online, game online, make friends 
online, chat online and even get married online.[24] They challenge authorities 
and comment on governments’ policies and actions, and set up forums to dis- 
cuss interested topics including Dalai Lama[25] and “Tibetan independ- 
ence” [26]. 

According to a survey done by the Chinese Academy of Social Science 
(CASS) on Internet usage and impact, people believe that Internet will have a 
positive impact on political transparency and expanding discourse. 65.9% of 
users’ primary purpose of surfing online is reading news,[27] 62.8% of users 
believe that people will acquire better knowledge of politics by going online 
and 60.4% believe that higher level officials will understand better common 
people’s view, 54.2% and 45.1%, respectively, believe the Internet provides 
more opportunities for criticizing the governments and expressing political 
views. 

People are concerned about how to make the Internet a safer place for 
youngsters and maintain the moral standards, how to develop the Internet 
healthily and how to perfect Chinese legislation regarding the Internet.[28] The 
majority of Chinese think that certain Internet contents should be controlled, 
including 84.7% of them support the ban of pornography and 72.6% uphold the 
ban of violence.[29] 

Indeed, the Chinese have a positive view voice about the impact of the 

662 





Internet in areas such as political transparency and freedom of expression. The 
Internet has become a powerful tool and certain censorship is understood as a 
beneficial way to control unwanted contents in Cyberspace. There is appar- 
ently a clear gap between the view of the West and that of the East, which could 
be explained in terms of culture and history. While the former takes the ap- 
proach of seeing what is left to be done and tends to be negative, the latter ap- 
preciates the progress already achieved and therefore is more optimistic. 


2. Law and the Internet in China 


Traditionally, China has lacked the “rule of law” culture in which the law was 
held in high esteem. The essence of the legal system in imperial China was the 
“rule of man”, which run through 221 BC to 1911, and was a mechanism for 
retaining imperial control over the populace. Moreover, the ancient Chinese 
law was mainly conceived as penal law which focused on state concerns and 
only dealt with private matters incidentally. It was operated vertically and used 
as a supplemented means for maintaining a hierarchical social relationship.[30] 

The current modern Chinese legal system, which was established in 
1949 and abolished during the ten-year Cultural Revolution, mainly adopted 


_ the form of continental system from Germany, also borrowed substantial ele- 





ments from the former Soviet Union and inherited the essence of traditional 
Chinese law.[31] The re-establishment of the legal system along with the Re- 
form and Open Policy in 1979 has been fairly effective, but problematical, as 
shown below. 

In addition, it should be noted that although China is not a case law coun- 
try, under the influence of its traditional culture of shi sheng yu xiong bian 
(facts speak louder than words), law cases have always of extremely impor- 
tance to the Chinese law making, enforcement and promotion.[32] 


2.1. The Chinese Constitution 


The Constitution of the People’s Republic China (Constitution) provides Chi- 
nese the legal basis. The current Constitution was adopted in 1982 and was re- 
vised respectively in, 1988, 1993, 1999 and 2004, which confirmed the socialist 
system and the people’s ownership of the state power in China.[33] 

The Constitution provides that all cases tried by courts should be con- 
ducted openly[34].At present, China practices a two-instance system of trials 
which means the courts have to try cases on two levels, with the second in- 
stance being the final judgment. 

Moreover, the Constitution states that citizens have the freedom of 
speech, press, procession and demonstration.[35] Also, it promotes knowledge 


663 








and sciences, encourages all kinds of creativities and safeguards people’s rights 
for lawful income, savings and other private property.[36] 


2.2. Cyberlaw in China 


The first Chinese cyberlaw was promulgated by the State Council on 1 Febru- 
ary 1996, which entitled “Provisional Regulations of the People’s Republic of 
China Governing the Management of Computer Information Networks Hooked 
Up With International Networks” (Provisional Regulations) and was soon re- 
vised on 20 May 1997. The Provisional Regulations has legalised connections 
between the Chinese domestic network and the international Internet. Then, a 
series of cyberlaws have been enforced, on the one hand, to adopt the rapid 
development over the country, and on the other hand, to catch up with the in- 
ternational treaties’ requirements. 


2.2.1 Copyright 


China has signed several related international treaties, i.e. the WIPO Conven- 
tion in 1980, Paris Convention in 1985, Madrid agreement in 1989, Berne con- 
vention and Universal Convention in 1992, Geneva Convention in 1993, 
Budapest Treaty in 1994 and TRIPS in 2001. The modern copyright law was 
directly promoted by a 1979 trade agreement with the United States (US). The 
agreement committed China to reciprocate copyright protection for US works 
under Chinese law and with due regard to international practice.[37] 


2.2.1.1 The first Chinese Copyright on trial 


In September 1990, the first modern copyright law, the Copyright Law of the 
People’s Republic of China (CCL 1990) was adopted by the NPC and went 
into effect in June 1991 and at the same time that the Regulations on the Im- 
plementation of the Copyright Law was also enforced (Regulations 1991). The 
CCL 1990 provided copyright owners the right of publication, authorship, al- 
teration, integrity, and exploitation and the right to remuneration.[38] The CCL 
1990 did not take Cyberspace into account as the Internet was not introduced 
in China yet. And for some years, the Chinese people regarded the Internet as 
a great place for “free stuff’ such as music, films, games, software and 
books.[39] 


a. Chen Weihua, the almost forgotten pioneer 


The CCL 1990 was nevertheless challenged in May 1999, when Chen Weihua, 
an Internet user, appealed to the Beijing Haidian District People’s Court against 
the Computer Business Information (CBI), a publisher. The plaintiff, whose 


664 








name online was Wu Fang, wrote an article, “An Playful Discussion on 
MAYA” (MAYA), talking about 3D animation designs, and uploaded it on his 
own homepage, “3D Sesame Street” in May 1998. Without Chen Weihua’s 
consent, CBI published MAYA in its newspaper in October the same year. In 
November, the plaintiff emailed the defendant, declaring to be the author of 
the article. In December, the plaintiff faxed the defendant, alleging copyright 
infringement. Defendant received both the email and the fax, but rejected the 
plaintiff’s request. Chen Weihua claimed that CBI had infringed his copyright 
and asked for a published apology, a remuneration of RMB231 yuan for the ar- 
ticle together with a punitive damage of RMB50,000 yuan for the infringe- 
ment. In the court, CBI argued that the article was recommended by a reader 
and was sent in via email which did not contain any words regarding copy- 
right restriction, and the CBI replied asking for more information from the 
reader on the author but received no response. Therefore, the defendant said 
that CBI had no intention of breaching Chen Weihua’s copyright and should not 
make any apologies. 

In April 1999, the judgement was given to the plaintiff. First, the court 
explained expansively that, on the one hand, definition of zuo pin, “works”, and 
MAYA was a work; thus, it should be protected by copyright even if no spe- 
cific provisions was offered due to the fast IT developments, and on the other 
hand, the plaintiff proved that the work was written by him in May 1998 and 
he uploaded the work to his homepage, which meant his intention to publish 
his work on the Internet. The court stated that MAYA was confirmed to be a 
work due to it being fixed in a digital format that was stored in a hard drive 
of a computer and uploaded to the Internet via a www server and kept stable 
to permit public’s access or reproduction through any host. Then, the court 
concluded that CBI’s unauthorised publication of Mr Chen’s work on the news- 
paper was a commercial act that infringed the plaintiff’s rights to use the work 
and to be remunerated. Nonetheless, the plaintiff’s claim of RMB50,000 yuan 
punitive damage was rejected for he failed to provide evidence to support his 
claim. 

Based on Article 11 “ownership of copyright” and Article 46(2) “re- 
producing and distributing a work for commercial purposes without the con- 
sent of the copyright owner”, the court ordered CBI, first, to cease the 
infringement immediately; secondly, to apologise to Chen Weihua and publish 
it in the CBI’s newspaper; thirdly, to remunerate Chen Weihua RMB924; and 
finally, to pay Chen Weihua the litigation fee RMB2017 yuan.[40] Neither the 
defendant nor the plaintiff appealed the ruling. 


665 











b. Celebrities effects 


In June 1999, another lawsuit was filed in the same court. This time, six very 
well-known Chinese writers - Wang Meng, Zhang Chenzhi, Zhang Kangkang, 
Bi Shumin, Zhang Jie and Liu Zhengyun (Six Writers) - sued Shiji Internet 
Communication Technology Ltd (Shiji Ltd) for its copyright infringement on- 
line. The defendant was a leading company in information technology (IT) in- 
dustry based in Beijing and owns a Website http://www.bol.com.cn, Beijing 
Online. A great number of literary works were collected on Beijing Online and 
allowed registered users download them for free. Works of the mentioned six 
famous Chinese writers were included. The six writers’ sought judgment for the 
action for infringement of copyright and the condign remuneration, and, puni- 
tive compensation for both the economic and spiritual damages. 

Shiji contended that CCL 1990 had not been extended to the Internet, no 
regulations provided that permission must be obtained. for distributing pub- 
lished works online and that there was no benchmark for remunerating copy- 
right owners. In addition, all works were collected from other Internet sites for 
archival purpose, opened to public for free and kept full information about au- 
thors. Shiji had no intention to infringe Six Writers’ copyright and did not dam- 
age Six Writers’ economic and spiritual benefits. 

In September 1999, the judgment was given in favour of six writers. The 
court explained in detail that although the CCL 1990 was not updated with the 
newly developed technology, it may be understood that the digitisation of a 
work was only a change of the format but not a new work. Authors certainly 
have copyright over the digitised works and the monopoly to decide if their 
works could be distributed and in what format. Thus, the first part of the ap- 
peal was allowed, but the other claim was dismissed. The court was not only 
concerned about the copyright owners’ and company’s benefits, but also about 
the public interest which was of great importance to socialist China. Based on 
CCL 1990 Article 10 and Article 45(6), (8), the court ruled Shiji must firstly, 
cease use of Six Writers’ works immediately; secondly, publish an apology for 
its infringement on Beijing Online’s homepage; and finally, remunerate the 
plaintiff according to the number of words of their works and pay the litigation 
fee.[41] In October, Shiji appealed to Beijing First Intermediate People’s Court, 
and the first instance was upheld in December 1999. 

This court case gained great attention over the country, for instance, the 
Central China Television live broadcasted the entire trial on 18 September 
1999. Numerous general public attended the hearings, also carried out inten- 
sive discussions online and for many of them it was the first time knowing the 
word of copyright.[42] Furthermore, the case was greatly analysed by ISPs, 
lawmakers, law practitioners and academics over the country,[43] who mainly 


666 











urge the enactment of the law providing specific clauses for enforcing copy- 
right on the Internet, whilst other voices remain: some say that the court was 
influenced by the US practice, which caution against adoption of the US prac- 
tice in China,[44]some believe the court has exceeded its jurisdiction by ex- 
panding the scope of the Copyright Law without legitimate authorization.[45] 


c. Copyright and the public interest in test 


Revisions of the CCL 1990 was approved by the 24th Session of the Standing 
Committee of the ninth NPC in October 2001, which is commonly known as 
Copyright Law of the People’s Republic of China (CCL 2001). The CCL 2001 
was primarily amended for its entry into the World Trade Organisation (WTO), 
corresponding to TRIPS.[46] 53 out of the 56 clauses of the CCL 1990 were 
revised, which the main amendments include 

e extending the scope of objects that are protected,[47] 

e providing a more defined classification for 17 types of rights that are 

granted to copyright owners,[48] 

e narrowing down the permitted acts,[49] 

e adding provision to regulate contracts for copyright assignment,[50] 

and 

e specifying the legal obligations and enforcement measures which 

embrace prosecution of criminal liability of an infringing act that 
constitutes a crime.[51] 

Besides, in Article 47(1), the law stipulates that infringing acts on the In- 
ternet could bring about prosecution which is a reply to the cases mentioned 
above. Article 4 is unchanged which states that copyright owners, in exercis- 
ing their copyright, shall not violate the Constitution or laws or prejudice the 
public interests. In line with the CCL 2001, the Regulation 1991 was abolished 
and the Implementing Regulations of Copyright Law was issued in August 
2002 (Regulations 2002). 

The new rules were shortly tested in Beijing Haidian District People’s 
Court in April 2002. The plaintiff, Chen Xingliang, a law professor from 
Peking University, found that the China Digital Library Ltd (Digital Library) 
collected his “The New Perspective of Modern Criminal Law” etc. three books 
on its website www.d-library.com.cn without his authorisation. By paying a 
very small sum of subscription, users can become members of the Digital Li- 
brary and then can browse or download its collections for free.[52] users could 
download the full copies online. Based on Article 37 of the CCL 2001, Pro- 
fessor Chen appealed against the Digital Library’s infringement of the copy- 
right and applied for compensation RMB 400,000 yuan. 

In the court, the defendant claimed that as a non-commercial organisa- 


667 











tion which was leading the exploitation and advance of digital library in China, 
the Digital Library was aware about copyright issue and attempted to establish 
an improved system of online copyright authorisation. Moreover, as a non- 
profit making digital library, its use of Professor Chen’s books was justified by 
the defence of public interest. 

After confirming Professor Chen’s copyright to the three books, the 
court explained Article 10(12) of the CCL 2001 that Professor Chen has the ex- 
clusive right to communicate to the public his work, by wire or wireless means. 
According to Article 47(1), Digital Library has breached Professor Chen’s 
copyright. 

Further, the court accepted that the Digital Library’s uses of works had 
met a public demand and had a fair objective. However, the digitisation of its 
collections without copyright owners’ permission was unlawful reproduction 
of works, and the providing of the digital copies on the Internet to members vi- 
olated the copyright owner’s right of remuneration and made unlawful copy- 
ing possible. In June 2002, the court held that, (1) the defence of public interest 
failed and the appeal was permitted since it is breach of plaintiff’s copyright for 
uploading books in digital format without authorisation; (2) the Digital Library 
must cease the infringement without delay; (3) the Digital Library must pay 
professor Chen compensation RMB 80,000 yuan. 

Chen Xingliang v China Digital Library has stated that it is a breach of 
copyright to disseminate others’ works on the Internet without the author’s per- 
mission, to sabotage technical means for transmission of works, or any action 
to tamper with the right of information administration. It has also led to a fine 
discussion on the public interest. The major arguments say that following the 
libraries provisions, the law should also offer digital libraries exceptions to 
stimulate its development, in the name of the public interest. The opposing 
viewpoints deem the compensation should be much higher, as it is crucial to 
establish a confined approach of copyright for developing digital libraries in the 
country, as well, in the name of the public interest.[53] 

In short, the three cases above have illustrated the progress of the rele- 
vant Chinese law .To date, three periods may be summarised, (1) middle 1990s 
to late 1990s, a copyright free Internet period; thus, the CCL 1990 was not 
challenged in this regard until 1999; (2) late 1990s to 2001, a questioning pe- 
riod; which debates focused on whether there should be a system of copyright 
in Cyberspace, whether digitising a work created a new work and what the ju- 
risdiction should be; (3) from 2001 on, a period of exploiting and perfecting the 
law, discussions has gone further including privileges for digital libraries, the 
public interest defence, the enforcement and etc. 

There is still much to consider for Chinese lawmakers, especially on the 
clarification of the law and its enforcement. In addition, low or no punitive 


668 








compensations indicate the yet poor significance of copyright and may be a 
drawback for an effective enforcement, in such an era that copyright is taking 
a great part. 


2.2.1.2 Other relevant rules 


In April 2005, the Measures on Administrative Protection Rules of Internet 
Copyright (the Measures), were jointly released by the National Copyright Ad- 
ministration of China (NCAC) and'the Ministry of Information Industry (MID, 
which include 19 articles for the purpose of enhancing the protection of copy- 
right on the Internet from unauthorised dissemination on the one hand, and im- 
proving the administrative enforcement on the other.[54] The Measures apply 
to both services, including uploading, storing, linking or searching online lite- 
rary, audio, or video products in accordance with the instructions of the Inter- 
net content providers, without editing, revising and selecting the stored or 
transmitted content;[55] and the administrative protection of the rights of per- 
formers, audio and video producers, and other copyright-related rights holders 
to spread their performances on audio and video products via Internet.[56] In 
addition, the Measures give practical guidance on how to implement the regu- 
lations. For instance, when a copyright owner finds that an ISP has violated 
his/her copyright, a notice should be sent to the ISP,[57] which should include 
the flowing items: (1) copyright certificate for the alleged infringing content; 
(2) specific identification proof, address, and contact information; (3) location 
of the infringing content on the information network; (4) related evidence of 
copyright infringement; and (5) declaration of authenticity for the notifica- 
tion.[53] 

Furthermore, the Regulations on Rights of Information Network Distri- 
bution went into effect in July 2006, which contain 27 Articles and provide co- 
pyright owners rights to control their works’ distribution on the Internet and 
ISP’s obligations to correct any infringing acts, together with exceptions inc- 
luding the following purpose uses, classroom teaching and research, non-com- 
mercial exploitation for blind people, lawful administrative or judicial action 
and the test of system or Network.[59] 

Making more specific and clearer, the above regulations intend to meet 
the prompt development of Internet in China, as well as to balance the interest 
of copyright owners, ISPs and Internet users. 


2.2.2 Censorship 


China has been extremely tough with pornography and violence in Cyberspace. 
The provisions are tied together with terrorism in both civil and criminal laws. 
As mentioned earlier, censorship in China is strongly criticised in the west. In- 


669 











deed, Chinese Internet is rather a “guarded openness”.[60] Chinese legislators 
have striven for ensuring a “harmonious and healthy” Cyberspace via govern- 
mental control.[61] 

In February 1994, the State Council issued the Regulations for the Safety 
Protection of Computer Information Systems which confirmed that the Min- 
istry of State Security (MSS) would supervise all information systems in China. 
In addition to that, the Public Security Bureau (PSS) is in charge of civilian net- 
work security, which was codified in the Regulations on Computer Information 
Network and Internet Security, Protection and Management that approved by 
the State Council on 11 December 1997 and promulgated by the Ministry of 
Public Security on 30 December (Regulations 1997). The PSS and the MSS are 
the most important organs which responsible for, respectively, internal and ex- 
ternal security, both offline and online. 

Regulations 1997 clarifies that no unit - “anit” is dan wei in Chinese, 
means “establishment’”- or individual may use the Internet to violate the free- 
dom and privacy of Network users.[62] It also states that “no unit or individ- 
ual may use the Internet to harm national security, disclose state secrets, harm 
the interests of the State, of society or of a group, the legal rights of citizens, 
or to take part in criminal activities”.[63] It defines eight types of prohibited in- 
formation which are: 


1. Inciting to resist or breaking the Constitution or laws or the imple- 
mentation of administrative regulations; 

2. Inciting to overthrow the government or the socialist system; 

3. Inciting division of the country, harming national unification; 

4. Inciting hatred or discrimination among nationalities or harming the 
unity of the nationalities; 

5. Making falsehoods or distorting the truth, spreading rumors, de- 
stroying the order of society; 

6. Promoting feudal superstitions, sexually suggestive material, gam- 
bling, violence, murder, 

7. Terrorism or inciting others to criminal activity; openly insulting 
other people or distorting the truth to slander people; 

8. Injuring the reputation of state organs. 


In line with the Law on the Protection of State Secrets and other related 
regulations, to facilitate strengthen the management of secrets in the computer 
systems on the Internet and to ensure the safety of state secrets, the State Se- 
crets Protection Regulations for Computer Information Systems on the Inter- 
net came into effect in January 2000. It holds that no unit or individual shall 


670 








release, discuss or disseminate state secrets on an BBS, chat room or network 
news group, and the principle of managing state secrets shall be “whoever 
places materials on the Internet takes the responsibility”.[64] In addition, na- 
tional backbone networks, Internet access providers and users are obligated to 
be supervised and checked by departments in charge of protecting secrets and 
to report a leak or possible leak.[65] 

In September 2000, the Telecommunications Regulations was prom- 
ulgated by the State Council and in Chapter V, it regulates telecommunications 
security and affirms that no organization or individual may use telecommuni- 
cations networks to make, duplicate, issue, or disseminate information con- 
taining the following[66: 


1. Material that opposes the basic principles established by the con- 
stitution; 

2. Material that jeopardizes national security, reveals state secrets, sub- 
verts state power, or undermines national unity; 

3. Material that harms the prosperity and interests of the state, 

4. Material that arouses ethnic animosities, ethnic discrimination, or 
undermines ethnic solidarity; 

5. Material that undermines state religious policies, or promotes cults 
and feudal superstitions; 

6. Material that spreads rumours, disturbs social order, or undermines 
social stability; 

7. Material that spreads obscenities, pornography, gambling, violence, 
murder, terror, or instigates crime; 

8. Material that insults or slanders others or violates the legal rights 
and interests of others; 

9. Material that has other contents prohibited by laws or administrative 
regulations. 


Furthermore, “for the purpose of regulating Internet information serv- 
ices (IIS) and promoting the healthy and orderly development of such serv- 
ices”, the Measures for Managing Internet Information Services was enforced 
in October 2000.[67] It demands all IIS providers must guarantee that their in- 
formation is legal.[68] For those providing services related to information, the 
publishing business and e-announcements, they shall record the content of the 
information, the time that the information is released, and the address or the do- 
main name of the Web site, and keep the information for 60 days.[69] 

The Decisions of the NPC Standing Committee on Safeguarding In- 
ternet Safety was promulgated in December 2000 and deals with subverting 


671 








state power, stealing state secrets and organising or contacting evil cults 
through the Internet. 

Moreover, China formed its team of cyber police in September 1998 and 
they patrol the network everyday.[70] Most recently, in September 2007, Bei- 
jing sent two virtual police officers (VPO), Anan and Ningning, “to safeguard 
the virtual world”.[71] In fact, a pair of VPO Jingjing and Chacha have been 
introduced to Internet users in Shenzhen by the Internet Supervision Depart- 
ment of Shenzhen Public Security Bureau since January 2006. People could 
click on the cartoon police officers’ icon and ask questions about information 
safety or report Internet crimes.[72] The newly revealed VPO’ images are com- 
puter-generated.[73] They would pop up on Beijing’s gateway websites every 
30 minutes and would patrol all websites and forums in Beijing from Decem- 
ber on. To report any suspicions, a double-click is all required and it is prom- 
ised that real police officers would response to the report in 30 minutes.[74] It 
is said that virtual police intends to primarily combat 9 types of Internet crimes, 
i.e. online pornography, violence, terrorism, Internet related Frauds, stealing, 
gambling, money laundering, superstition, and selling guns and other prohib- 
ited objects.[75] 

Most users believe that VPO would protect the Cyberspace and fight In- 
ternet crime;[76] some worry VPO becoming a “political show” rather than 
policing the Internet,[77] some find VPO “cute” and even tried hard to meet 
them;[78] some fear that they can no longer watch porn online at home as the 
IP would be recorded;[79] and very interestingly, detailed techniques and meth- 
ods of preventing VPO’s “watch” have been posted to a hacker’s BBS in April, 
almost half a year prior to the official launch of VPO. [80] 

Although it seems obvious that a level of censorship is acceptable and 
even recommendable, it is difficult to draw the line between what is tolerable 
and what is not. This is the dilemma with the Regulations 1997 and 2000. 
While the objective of the law sounds logical, the application of it has to be 
very well monitored. Could freedom of expression conflict with national se- 
curity? Could the injury of the reputation of state organs mean just democratic 
political opposition? 

What should be concerned is the extent of censorship and the barriers 
that create for the natural development of a democratic society. China has 
surely not evolved enough from its traditional approach on censorship and the 
law needs to be clarified. However, in a framework with already rapid social 
changes, it would not be beneficial to force the challenge faster than it could 


go. 


672 








2.2.3 Privacy 


The term of “privacy” in Chinese is “BERL”, yin si, yin means “to hide” or 
“hidden”, and si means “secret” or “selfish”, which has not been too much val- 
ued by the traditional Chinese culture. For instance, Confucianism emphasises 
unity and harmony, and says that “a true nobleman has no privacy”.[81] 

The modern concept of “privacy” may be understood as the ability of 
people to control the flow of their information and thereby to reveal it selec- 
tively. It is one of the fundamental human rights and people ought to have the 
right to privacy.[82] Since the late 1990s, Chinese legal pundits and academ- 
ics have been promoting this concept and advocating legalising individual pri- 
vacy. Today, the term of “Ra #42”, “right of privacy”, has been well known by 
the general public. 

In regard to the launch of VPO, Chinese Internet users expect the VPO 
respecting and protecting their right of privacy while safeguarding Cyberspace 
and combating Internet crimes, [83]as illustrated by the following case. 

Earlier this year, Miss Wang’s housekeeper Mrs Wu, a woman from 
countryside in her late 40s, was about to clean Miss Wang’s study as usual. 
However, she saw some strange pictures on the computer screen. She looked 
closer and found out that they were showing 9 different views of the house. Her 
employer had installed nine-CCTV in the house, including her bedroom and the 
toilet. She then went to speak to Miss Wang and was told that it is necessary 
to monitor her work in the house. Mrs Wu soon gave up her job, she said that 
whomever she would work for, she must at least have the right of privacy.[84] 

Discussions on the right of privacy have been carried out in depth 
throughout the country. People started to ask some questions, which have never 
been asked before. How to balance the right of privacy during the criminal in- 
vestigations?[85] Where should the line lie in news reporting regarding right 
of privacy?[86] How to protect citizens’ right of privacy in using of public 
CCTV?[87] Can governments freely use citizens’ personal data in this infor- 
mation age?[88] Should not we respect school students’ right of privacy in the 
name of “school management”?(89] How should we deal with patients’ right 
of privacy?{90] And what about the celebrities’?[91] 

Research has gone beyond. Professor Liu Deliang advocates property 
rights in Personally identifiable information (PII). Deliang stresses that the rat- 
ification of rights in the PII should be based on its value, i.e. both personality 
rights and property rights should be protected if the PII holding value of sub- 
ject’s personality and property interests, while only property rights should be 
granted if the PII contains value of the subject’s property interest merely. He 
further states, in this information age, each single piece of the PII has a poten- 


673 











tial commercial value and thus the property rights should be defended and reg- 
ulated by law.[92] 

China has not adopted an independent privacy law. Currently, the justi- 
fication of privacy is derived from the Constitution, on which also the courts 
and law practitioners heavily rely. 

The Chinese Constitution asserts that the personal dignity of citizens is 
inviolable, and therefore, libel, false accusation or false incrimination directed 
against citizens by any means is prohibited. [93] The protection of freedom of 
the person and the residence has also been defined. [94] Moreover, the law pro- 
vides for the freedom and privacy of correspondence of the citizens, except in 
the cases where “to meet the needs of state security or of criminal investiga- 
tion, public security or procuratorial organs are permitted to censor corre- 
spondence in accordance with procedures prescribed by law”.[95] Besides, the 
Chinese laws grant prosecution of both civil and criminal liability of breach of 
privacy that constitutes a crime.[96] 

On 2 June 2007, a list was posted on a Chinese BBS, which shocked nu- 
merous Internet users and non-users. The list contained 600 celebrities’ pri- 
vate phone numbers and home addresses. The list was soon copied to different 
forums and the information was spread over the country in a very short period 
of time. Many of the celebrities on that list received enormous number of calls, 
greetings, inquisitiveness or harassments and they felt their rights of privacy 
had been breached.[97] 

The same day, Oriental Horizon, the television news magazine of the 
Central China Television, did a questionnaire survey on the topic of this issue. 
In less than 3 hours, 2394 people participated while 84 % of the replies claimed 
that they would respect celebrities’ privacy and would never make the phone 
call, 61 % hoped to have relevant laws to safeguard their privacy. Regarding 
publishing such a list online, 36 % thought the behaviour had infringed others’ 
privacy and was immoral, while 27 % thought it satisfied general public’s cu- 
riosity and 33 % did not care.[98] 

Chinese population is challenging the traditional concept of privacy and 
complementing it with a more modern one. This has been a not-too-slow 
process, and has not yet found its specific provision in Chinese law. It is un- 
derstandable as the modern legal system only started re-building since 1979. 
Besides, the Constitution has demonstrated to be flexible enough to cope with 
the social and economic change. However, it is needed to develop a compre- 
hensive privacy law in order to fully legalise the rights and strengthen the col- 
lective concept of privacy amongst the people. 


674 








3. Discussion 


As introduced earlier, the Internet has a late start but an incredibly growth in 
China. From 620,000 in 1997 to 162 million in 2007, the number of Chinese 
Internet users bloomed over 2600 times in 10 years. Furthermore, more than 
50 million users surf online in Internet cafés. These unique Chinese phenom- 
enons are creating numerous challenges for the Chinese society, as well as the 
developing legal system, including copyright, privacy and censorship in rela- 
tion to the Internet, which are currently under development. The gap between 
China and the West certainly exists with regard to these three aspects of laws. 
Though, the approaches to understand the situation and solve the evident prob- 
lems that this rapid development poses to China and its legal system are var- 
ied. i 

The western views on the Chinese Internet have not been too positive, 
some even set it as a synonym of “governmental censorship”, which detested 
by a number of democratic westerners since it is against the ideal of an inde- 
pendent Cyberspace. However, unfettered freedom in respect of the use of the 
Internet does not promote a healthy development of the Internet, whilst laws 
and regulations imply the intervention of the governments to accomplish an 
end beneficial to the citizens. 

Contrary to that, people in China seem to maintain a rather optimistic at- 
titude towards the Internet. Most Chinese Internet users pay great attention to 
the progress has achieved over the country and what happens around the world. 
They believe that the Internet is helping China to improve its political trans- 
parency, discourse and democracy. Moreover, they demand a controlled Cy- 
berspace, especially for the youngsters, and support legal restrictions and 
censorship on certain contents. 

It is known that advice and help from international parties are vital for 
China’s development. In the case of Internet, without the UoK and Professor 
Werner Zorn’s liberal efforts, the arrival of Cyberspace in China may have 
been delayed. On the one hand, China should take western criticisms and com- 
ments seriously and take action to improve its system. On the other hand, in- 
ternational watchdogs should try to keep the views objective with the primary 
aim of helping China. 

While the Chinese Constitution has provided people’s right to privacy, 
a privacy law is urged to be adopted since the current enforcement is feeble and 
confusing in the absence of specific law and regulations. For example in the 
mentioned disclosure of celebrities’ personal information, simple uncertainties 
remain. Was it an infringing act to post such a list on the Internet? How should 
the cases be litigated and what regulations should be relied upon? 

As indicated in the Oriental Horizon’s survey above, people’s concep- 


675 








tion of privacy is changing in China. They are now much more privacy con- 
cerned and are calling for specific laws to safeguard their right of privacy. To 
scientifically and efficiently define and legalise privacy, to promote the aware- 
ness of respecting other’s right of privacy not only to the general public but also 
to the all levels of governments, China has to act promptly and is in for the 
long haul. Apparently, building an effective and balanced privacy protection 
system has become a mission possible for Chinese lawmakers. 

With regard to copyright, whist compared to other industrial nations that 
have developed the law and regulations for hundreds years, the less than 20 
years old Chinese copyright system is obviously immature, especially the en- 
forcement, which requires further practice. However, the efforts and ongoing 
progress should be admitted, as shown in the three cases introduced earlier. 

In the landmark case, Chen Weihua v CBI, the court has set an example 
on enforcing copyright on the Internet despite the absence of specific law and 
regulations. It demonstrated that courts then were prepared to secure copyright 
enforcement in Cyberspace, even if no such provisions offered. However, the 
judge’s interpretation of works was arguable, whilst it held that a work must be 
fixed in tangible mediums that could be kept stable to allow public to reproduce 
or contact, directly or with help of other means including Internet technology. 
Moreover, the case was not widely noticed by the public in China, which un- 
veils back then that (1) the authorities did not promote copyright solidly; (2) 
the public did not appreciate copyright protection should be extended to Cy- 
berspace as they could get everything free, and (3) the publicity of this case was 
very limited mainly because the plaintiff was just an ordinary man. Of which 
the last was absolutely different from Six Writers v Shiji Ltd, a case that well 
demonstrated “celebrities effects” in China. 

Importantly, Six Writers v Shiji Ltd defined the digitisation of a work 
was only one of the formats of the work and should be controlled by the right 
owner, and confirmed copyright protection on the Internet, which was later 
provided by the CCL 2001. 

Thus, in Chen Xingliang v China Digital Library, based on the newly re- 
vised CCL 2001, the court straightforwardly approved the copyright owner’s 
exclusive rights to control his work over the Internet. Moreover, it underlined 
the importance of maintaining a balance amongst the copyright owner, the IPS 
and user, and touched but un-clarified the fundamental philosophy and a de- 
fence of copyright law, the public interest. 

Nonetheless, without severe punitive damage charged to the infringers, 
could copyright enforcement be effective in China? Furthermore, the follow- 
ing questions ought to be answered by the Chinese copyright law in the near 
future. What is the public interest in copyright? How should public interest be 


676 








exercised in using works online without permission? How does one effec- 
tively obtain the author’s authorisation on the Internet? What copyright meas- 
ures should be taken so as to ensure a protective mechanism for a sustainable 
and healthy development of the online information industry? Last but not least, 
should copyright owners or suspected infringers bear the burden of proving 
that copies of the works have been lawfully authorised? 

Regarding censorship on the Internet, the Chinese majority support cer- 
tain censorship in Cyberspace for a healthy development. Different cultures, 
traditions and values may bring about different viewpoints and approaches on 
the legislation, which should be respected. 

However, law should be made clear, especially concerning the issue of 
censorship. What information may injure the reputation of state organs? And 
what other contents are, specifically, prohibited by laws or administrative reg- 
ulations? 

Moreover, censorship is a double edged sward. The government may 
use it to censor what people un-wanted, may also use it to censor what people 
wanted. The technology behind censorship may allow the surveillance for law- 
breakers online but it would also allow the surveillance for each and every one 
of the users online. Therefore, censorship should be carefully exercised by the 
authorities. As in all laws, a balance must be maintained within. This balance, 
however, is complex for the Chinese authorities, because of the history and the 
legal traditions. China has opened itself to the world since the 1980s and is 
opening up day by day. The Chinese authorities should understand that there 
is no way that people would want to go back to the close, obscure and repres- 
sive old days. A more open, transparent and democratic China is the Chinese 
people’s will, as well as the future for China. 


NOTES: 


UFAR, PRA BRM FLFR, Werner Zorn (2006) Review on the Early 
Works of China Connecting to the Internet, see http://news.xinhuanet.com/newmedia/2006- 
11/21/content_5358804.htm. 

[2] See China Internet Network Information Center (CNNIC) website, retrieved 8 No- 
vember 2007 from http://www.cnnic.net.cn/html/Dir/2003/ 10/22/1001.htm. 

[3] See http://www.cnnic.net.cn/resource/daily/2002-1 1/15.pdf, retrieved 8 November 2007. 
[4] 646, R H5 CNNIC; Mao Wei (2004) Qian Tianbai and CNNIC — To Commemo- 
rate Mr. Qian Tianbai. Retrieved 8 November 2007 from http://www.cnnic.net.cn/html/Dir/ 
2004/02/13/2156.htm. 

[5] See http://www.edu.cn/introduction_1 378/20060323/t20060323 4285.shtml, retrieved 
8 November 2007. 

[6] & AB, Intemet EPRHWAR, Cit SALE) ; Qian Tianbai (1996) Development 
of the Internet in China, retrieved 8 November 2007 from http://www.cnnic.cn/re- 
source/daily/199809/6.shtml. 


677 








[7] See http://www.cnnic.net.cn/html/Dir/2003/10/22/ 1003.htm, retrieved 8 November 
2007. 

[8] See http://www.edu.cn/introduction_1378/20060323/120060323_4285.shtml, retrieved 
8 November 2007. 

[9] Ibid. See also shui mu ging hua BBS, http://www.smth.edu.cn/frames.php, retrieved 3 
November 2007. 

[10] See Statistical Report of the Development of Chinese Internet. Retrieved 3 November 
2007 from http://www.cnnic.net.cn/download/manual/en-reports/ 1.pdf. 

[11] See Statistical Survey Report on the Internet Development in China (July 2007). Re- 
trieved 3 November 2007 from http://www.cnnic.net.cn/download/2007/20thCNNICre- 
port-en.pdf. l 

[12] About ONI, retrieved 3 November 2007 from http://opennet.net/about. 

[13] See ONI websites, retrieved 3 November 2007 from http://map.opennet.net// 
index2.html. 

[14] List of the 13 Internet enemies (7 November 2006), retrieved 3 November 2007 from 
http://www.trsf.org/article.php3?id_article=19603. 

[15] Open letter asking head of China Telecom to keep promise to restore Internet services 
(26 October 2007), retrieved 3 November 2007 from http://www.tsf.org/article.php3?id_ar- 
ticle=24126. 

[16] http://www. google.co.uk/search?q=Internet+China&hl=en&start=0&sa=N, retrieved 
5 November 2007. 

[17] From Child Porn to China, in One Cleanfeed (2006) 3:3 SCRIPT-ed, retrieved 3 No- 
vember 2007 from http://www. law.ed.ac.uk/ahre/script-ed/vol3-3/editorial.doc, 

[18] http://w2.eff.org/Censorship/Internet_censorship_bills/barlow_0296 declaration, re- 
trieved 8 November. 

[19] http://www.iwf.org.uk/police/page.22.htm, retrieved 8 November. 

[20] See Computer Crime Unit, http://www.met.police.uk/computercrime, retrieved 8 No- 
vember. 

[21] http://www. parliament.uk/parliamentary_committees/lords _ press_notices/pn10080 
7st.cfm, retrieved 8 Nov. 

[22] ] RIR, ERA SHARAN Se: — HEART RAAB, 

(tS ZH) 1990846 HA IAE :1 1-28; Chen Lihui, The Internet and the Re- 
form of Social Orgnisational Model: an Ongoing Deep Social Transformation, Social Si- 
cience Research 1998(6)11-28. 

[23] FR, BMH GS + EBOA--AMRWRE, (AWE) 20024 3#, 
IEW: 141-146; Xu Ying, The Internet, Public Domain and Living Politics - Di- 
scussion on the Number Digit Democracy, The Journal of Humanities 2002(3) 141-146. 
[24] “PUB”, “Internet Wedding”, is not accepted nor protected by Chinese laws. For some 
definitions of it, see http://zhidao. baidu.com/question/2759906 1 .html?fr=idrm; for a site 
that hosts Internet Weddings, see http://love.club.sohu.com/search_wedding.php. Both re- 
trieved 5 November. 

[25] AA A Oi BX FF BH Sch WZ, Dalai Lama give up Tibetan Independence, Retrieved 5 No- 
vember 2007 from http://www3.beidabiz.com/bbs/viewthread.php?tid=4567. 

[26] ARH ARAALE ? Dear All, what do you think about the Independence 
of Tibet? Retrieved 5 November 2007 from http://www.thegreatwall.com.cn/phpbbs/ 
index.php?id=80341 &forumid=4. 

[27] See http://www.wwm.cn/Research/guo_liang 2005_toc.htm, retrieved 8 November 
2007. 

[28] ER, LAFEMAA GARR, Ch)AESHREAE) 20078688 11- 


678 








13; Wang Ying, Let Children Grow Healthily in the Internet Life, School IT Education 
2007(6)11-13. 
[29] See CASS survey on Internet Usage and Impact, http://www.wwm.cn/Research/ 
guo_liang 2005_toc.htm. 
BO SHA RAE HM HRS FSS RP EAA (HETRE) o See 
History of Ancient China, current text book for Senior High in China, published by the Pe- 
ople’s Education Press. 
[31] See http://law.nju.edu.cn/Article/ShowInfo.asp?ID=407, retrieved 8 November 2007. 
[32] Retrieved 8 November 2007 from http://blog.chinacourt.org/wp-profile1 .php?p=70511 
&author=263 and http://www.people.com.cn/GB/guandian/29/17 1/20020207/664795.btml, 
[33] Article 1. The previous state constitutions of 1954, 1975 and 1978 were superseded in 
turn. 
[34] Article 125. 
[35] Article 35. 
[36] Article 13, 20 and 47. 
[37] Tang Guanhong (2004) A Comparative Study of Copyright & the Public Interest in the 
UK and China, SCRIPT-ed 1:2 272-300. 
[38] Article 10 (1)-(5). 
[39] AR Internet: “HER”, (ARPES) 19994 4HA86W; Free Internet: “the 
Chinese and West Set Menu”, Chinese Internet Times 1999(4) 86. 

[40] LR ABEKARERR SARA ( 1999 ) B14) FH 185; Beijing Haidian 
District People’s Court Tort Judgement Number (1999)18. 
[41] IRA BEKARERRBAAH ( 1999 ) WAWFH57 5; Beijing Haidian 
District People’s Court Tort Judgement Number (1999)57. 
[42] See http://news.sina.com.cn/china/ 1999-9-19/15748.html, retrieved 5 November 2007. 
[43] SK R, ERK, KA, FRE, NBBSAWHERF 
BRORERRARAA (ASHE) 20004 3 13484-8901 Zhang Guangliang, Six 
Writers v Shiji Internet Communication Technology Ltd, Law and Technology 2000(1)84- 
80, SAL, AFERA ERRAR MSA (ARSE) 2000751 Hi 
93-940 Wen Xu, Comments on Six Writers v Beijing On Line, Law and Technology 
2000(1)93-94. F , PAI TS ERGKW ER : ERFARER ta BK 
By Be (ASHE) 20001 90-920Zhang Ping, Copyright on the Internet: 
Review Six Writers v Shiji Ltd, Law and Technology 2000(1)84-89. 
[44] See http://news.sina.com.cn/comment/1999-1 2-14/41971 html, retrieved 8 November 
2007. 
[45] See http://news.sina.com.cn/comment/ 1999-10-21/24207.html, retrieved 8 November 
2007. 
[46] http://english.peopledaily.com.cn/20011 1/08/eng20011108_84101.html, retrieved 8 
November 2007. 
[47] Article 2, 3 and 5. 
[48] Article 9 and 10. 
[49] Article 22 and 23. 
[50] Article 25. 
[51] Article 46-55. 
[52] The membership policy is broadly adopted in Chinese libraries including the public li- 
braries and non-member users are not allowed to borrow books and ete. 
[53 RH BMF LAS ERR RMN; Tan Lingling, The Enlightenment 
of the First Digital Library Case in China, Journal of Chinese IP [2002] 12. 
[54] BRERA H oh PT zh’ ig Bi]. NCAC News Conference: 





679 








Crash Down Actions on the Internet Copyright Infringement. 

[55] Article 2. 

[56] Article 17. 

[57] Article 7. 

[58] Article 8. 

[59] Article 12 (1)-(4). 

[60] See http://www.ucsusa.org/global_security/china/chinese-perspectives-on- 
transparency-and-security.html, retrieved 6 November. 

[61] See the MII Essential Work List 2006, retrieved 6 November 2007 from the official 
website http://www.mii. gov.cn/art/2006/05/22/art_21_13930.html 

[62] Article 7. 

[63] Article 4. 

[64] Article 8 and 10. 

[65] Article 16. 

[66] Article 57. 

[67] Article 1. 

[68] Article 13. 

[69] Article 14. 

[70] See http://www.people.com.cn/GB/it/5 1/20030209/919987.html, retrieved 6 Novem- 
ber 2007. 

[71] See http://www.chinadaily.com.cn/china/2007-08/29/content_60663 10.htm, retrieved 
6 November 2007. 

[72] See http://english.peopledaily.com.cn/200601/ 10/eng20060110_234314.html, re- 
trieved 6 November. 

[73] See http://www.bj .cyberpolice.cn/index.htm, retrieved 8 November 2007. 

[74] See http://www.chinadaily.com.cn/china/2007-08/29/content_60663 10.htm, retrieved 
6 November 2007. 

[75] See Internet Society of China website http://www.isc.org.cn/ShowArticle.php?id 
=8005, retrieved 6 Nov. 

[76] http://bbs.soxj.com/dispbbs.asp?boardID=53&ID=63606&page=1, retrieved 8 No- 
vember 2007. 

[77] http://it.sohu.com/20060516/n243251957.shtml, retrieved 8 November 2007. 

[78] http://club. 163.com/viewArticleBy WW W.m?boardId=v-tdkj&articleld=v-tdkj_1 14f9d 
74b242a40_O&boardOffset=0, retrieved 8 November 2007. 

[79] http://topic.csdn.net/t/20041002/ 15/3424047.html, retrieved 8 November 2007. 

[80] http://bbs. hacker.cn/redirect.php?fid=2 1 7&tid=25972&goto=nextoldset, retrieved 8 
November 2007. 

[81] See Shuer VII, The Analects. One of the e-versions can be obtained at and retrieved 6 
November 2007 from http://zhihai.heshang.net/Article/foshuku/wxdj/200504/ 10729. html. 
[82] S.D. Warren and L.D. Brandeis (1890)The Right to Privacy, Harvard Law Review, 
Vol. 4, No. 5 193-220. 

[83] http://www.bokerb.com/logshow.asp?id=18615, retrieved 8 November 2007. 

[84] Ells, REE BeOS RSA MRIS, (BUSSE) 2007487811 ; Liang Zheng, 
An Employer Installed Nine-CCTV to Monitor the Housekeeper, Government legality 
2007(7)11. ; 

[85 BAF, WSBASORBAMEP, Sh 3K 1F1E2007:4(6)-22-26; Pan Liping, 
Criminal Investigation and Protection of Rights of Privacy, US-China Law Review 
2007:4(6)-22-26. 

[86] WER, MRKA: MRBBAMKERARRA SHARE SRAMAP, 


680 











$1) SS E-2007(1)-55-56; SME, PPBHRAMBAR SA, MAKR- 
2007(8)54-55; Liu yumin, Law Through Cases: A HIV Orphan sued the News Reporting 
for Protection Right of Privacy, News Practice 2007(8)54-55. 

[87] BH, “BFR FAR BARA RP, RAAHE 2007(08A)112-1 19; Ma We- 
nzheng, Citizens’ Rights of Privacy under the “E-eyes”, China Public Security 
2007(08A)112-119. 

[88] 3 F, BUTE BSGEEN ROA RRARAP, 3£3# 2007(7)-23-41; Sun Ping, Ci- 
tizens’ Rights of Privacy in Governments’ Massive Database, Law Science 2007(7)-23-41. 
[89] PMR, FRAP RWS MR VTA RRLGRE, RRARAAKSS 
2007(06B)25-28; Sun Peiyu, The Breach of Students’ Privacy in School Management, 
SEPH2007(06B)-25-28. 

(00) Em% DRAP RENAR EMAAR, Pep AR AR 
2007:5(8)64-65; Cao Liping and Ma Xiuhua, Protect Patients’ Right of Privacy, China Me- 
dicine 2007:5(8)64-65. l 

[91] REE, HICARA MMR AERP, SAF 2007(07X)64-65; Song Zhu, 
Discussions on Lawful Protection of Celebrities’ Privacy, Law and Economy 2007(07X)64- 
65. 

[92] See Asia-Pacific Institute for Cyber-law Studies website http://www.apcyber-law.com, 
retrieved 6 November 2007. 

[93] Article 38. 

[94] Articles 37 and 39. 

[95] Article 40. 

[96] Article 252 and 254, General Principles of Criminal Law in the People’s Republic of 
China. 

[97] See http://news.xinhuanet.com/legal/2005-06/09/content_3061604.htm, retrieved 6 
November 2007. 

[98] Ibid. 


681 





Sylvia Mercado Kierkegaard (ed.) 


List of Contributors 


Rolf H. Weber 
Warren Chik 

Joseph Savirimuthu 
Michel Tison 

Zuzana Slovakova 
Edward A. Morse 
Nigel Wilson 

Tim Vollans 
Omphemetse Sibanda 
Carlos Alberto Rohrmann 
Einer Hannesson 
Rebecca Wong 
Kristof Maresceau 
Richard De Mulder 
Pieter Kleve 

Ji Lian Yap 

Aditi Agarwala 

Paul Przemyslaw Polanski 
Bart Custers 

Eleni Costa 

Jan Zibuschka 

Juliet M. Moringiello 
Angela Adrian 

Jos Dumortier 

Tobias Scherner 
Dinusha Mendis 
Huaiwen He 

K.P. Abinava Sankar 
Nikhil L.R. Chary 


ISBN 13: 87-991385-3-0 


Chen Jinjin 

Li Raojuan 
Mohammad Alramahi 
Akhil Prasad 

Shalini Kesar 

Yun Wan 

Qi Zhu 

Atip Latifulhayat 
Rasika Dayarathna 
Sabah S. Al-Fedaghi 
Muhammad Usman Iqbal 
Samsung Lim 

Daniel B. Garrie 
Daniel W. Loewenherz 
Jiri Strouhal 

Ma Minhu 

Feng Liyang 

Dong Zhifang 

Wen Li 

Ladislav Mejzlik 

Jana Istvanfyova 
Jason S. de Albergaria Neto 
Kwok Hung Mak 
Barry Chin Chi Yung 
Peter Stavroulakis 
Steven Stavroulakis 
Ma Hairong 

Ma Minhu 

Tang Guan Hong 


ISBN 10: 978-87-991385-3-1 


